Note: This article first appeared in the November 2021 edition of the Privacy Law Bulletin.
-
Australian Privacy Principle (APP) entities should expect compensation claims for privacy breaches.
-
The Office of the Australian Information Commissioner's (OAIC) "tariff'' in the 'WP' and Secretary to the Department of Home Affairs (Privacy)1 (WP) case is the best guidance at the moment of what compensation might be.
-
Compensation can be significant given the potentially large class of persons affected by a privacy breach.
Australia is yet to legislate a private cause of action for individuals in relation to privacy and data breaches (although there are other causes of action available).
The private cause of action has been a topic of discussion for some time now, with the Australian Competition and Consumer Commission (ACCC) recommending the introduction of a private cause of action.2
In particular, ACCC Recommendation 16(e) advocates the introduction of direct rights of action for individuals under the Privacy Act 1989 (Cth) (the Act), as well as higher penalties for breach of the Act in Recommendation 16(f). The OAIC supports this recommendation.3
In any event, the OAIC may make an order for compensation via s 52 of the Act. Pursuant to s52(1)(a) or (b)(iii), the Commissioner may make a declaration that "the complainant is entitled to a specified amount by way of compensation for any loss or damage suffered by reason of the act or practice the subject of the complaint".
Furthermore, under s 52(3) of the Act, in reference to s 52(l)(a) or (b), the Commissioner may also make an order for compensation in regards to reasonable expenses. Either from the making of the complaint, or the investigation itself.
In addition, two or more individuals can make a complaint under s 36 of the Act, which provides for the making of representative complaints.
A representative complaint is:
. . . a complaint where the persons on whose behalf the complaint was made include persons other than the complainant, but does not include a complaint that the Commissioner has determined should no longer be continued as a representative complaint.4
Despite the absence of a cause of action, there have been a number of privacy claims that utilise employment law5 and the Australian Consumer Law. It is clear, in respect of the latter, that privacy policies are representations of trade and commerce, and even without them, a corporation's activities themselves are conduct in trade or commerce that are capable of being misleading or deceptive.
In this paper the authors review the available data to determine whether there is a "tariff'' in Australia for compensation for breaches of privacy.
Damage principles
A causal link must be made out between breaches, and any loss. The relevant causation principles espoused by the High Court in March v E and MH Pty Ltd6 are as follows:
-
causation is ultimately a question of common sense and experience, determined on the facts of each case
-
in law, causation is a question identifying where legal responsibility should lie, rather than examining the cause of event from a scientific or philosophical viewpoint; policy issues and value judgments have a role to play in determining whether, for legal purposes, a circumstance is found to be causative of loss
-
a "but for" analysis is not a sufficient test of causation, although it may be a guide and
-
where there are multiple elements, each one sufficient on its own to have caused the loss, the causation test may be considered satisfied by each one of them
Economic loss
Damages for economic loss are awarded to restore an individual to "the same position as he would have been in if he had not sustained the wrong for which he is now getting his compensation".7
Their calculation is relatively straightforward and will not be dealt with further.
Non-economic loss
Damages for non-economic loss, also known as general damages, are awarded when an individual is found to have faced certain hardships due to relevant circumstances. This encompasses any instances of pain, suffering, disability as well as loss of amenity of life, past and future.
The Civil Liability Act 2002 (NSW) limits the amount recoverable by such claims and sets an upper limit on the amounts that may be awarded.
The maximum sum recoverable for such a claim fluctuates depending on the average weekly earnings of full-time adults seen in s 17(2) of the Civil Liability Act. As at October 2021 the maximum amount awardable is $350,000. This is indexed yearly under s 17(1) of the Civil Liability Act.
However, this is reserved for a most "extreme case". Less extreme injuries are compensated with the award calculated as percentage in reference to this sum. Section 16(3) of the Civil Liability Act states the formula necessary for said calculation.
Under s 16(1), no damages may be awarded for non-economic loss unless the severity of loss is at least 15% of a most extreme case. The case of Berkeley Challenge Pty Ltd v Howarth8 found that the court when assessing the proportion of a most extreme case, is not required to arrive at an unrealistic level of precision as long as the percentage stated falls within a reasonable range of assessment as set out in s 16.
The OAIC "guidance" - pure Privacy Act breaches
On 11 January 2021, the Information and Privacy Commissioner, issued a determination requiring payment of compensation for non-economic loss to individuals affected by an unauthorised data disclosure incident in WP.
The claim arose from a data breach by the Department of Immigration publishing on its website a report summarising key statistics in immigration detention. Inadvertently, this report contained an embedded Microsoft Excel spreadsheet containing the personal information of 9258 individuals in immigration detention at the time.
The information comprised names, citizenship details, period of immigration detention and reasons why the individual was considered an unlawful non-citizen, amongst other things.9 The report was available on the Department's website for 8 days and subsequently available on an internet archive site for a total of 16 days.10
A total of 9258 individuals were affected by the data breach.11 Only 1297 members provided submissions or evidence of loss or damage.12
In its declaration, the Commissioner ordered that the 1297 class members who made submissions and/or provided evidence of loss or damage to the OAIC be paid compensation by the Department for their loss or damage under s 52(4)(a) of the Act.13
The respondent was ordered to assign a quantum of damages for each participating class member with reference to the below table.
Addendum A to the OAIC decision includes the following table setting out categories of loss or damage experienced by members of the class and indicative quantum of compensation - it seems clear that the OAIC intended to publicise a "tariff" for Act breaches:14
|
Non-economic loss
|
Indicated quantum of compensation
|
|
0
|
individual did not provide a submission or evidence substantiating loss or damage
|
$0
|
|
1
|
general anxiousness, trepidation, concern or embarrassment
|
$500-$4000
|
|
2
|
moderate anxiousness, fear, pain and suffering, distress or humiliation which may cause minor physiological symptoms such as loss of sleep or headaches and may result in consultation with a health practitioner
|
$4001-$8000
|
|
3
|
significant or prolonged anxiousness, fear, pain and suffering, distress or humiliation which may cause psychological or other harm and may result in a prescribed course of treatment from a general practitioner
|
$8001-$12,000
|
|
4
|
development or exacerbation of a mental health condition resulting in a referral to a mental health specialist for treatment
|
$12,001-$20,000
|
|
5
|
extreme loss or damage
|
>$20,000
|
The process to assess whether particular class members fall within the defined categories in the table above is expected to conclude within the next 12 months.
The power to award aggravated damages in addition to general damages is found in s 52 of the Act. The OAIC observed that:15
... aggravated damages are given to compensate a person where the harm suffered was aggravated by the manner in which the act was done, rather than to punish a wrongdoer or deliver a measure of deterrence ... 16
An award of aggravated damages is not justified in circumstances where:17
-
the Data Breach occurred inadvertently
-
the respondent promptly took steps to address the underlying cause of the Data Breach
-
the respondent commissioned an independent investigator/auditor to investigate the Data Breach, and provide recommendations to prevent reoccurrence of a similar data breach
-
the respondent also adopted and implemented a number of the independent investigator's/auditor's recommendations
-
the respondent apologised to class members, and cooperated with the OAIC throughout the representative complaint process
Privacy Class Actions
In Evans v Health Administration Corp,18 an NSW Ambulance privacy class action, which settled early November 2020, the NSW Supreme Court approved a settlement in the sum of $275,000. The class was seeking damages and equitable compensation, including aggravated damages.
The case concerned contractors for Ambulance NSW who unlawfully accessed and sold sensitive information of over 100 ambulance NSW staff including workers compensation files and medical records to personal injury law firms.
The settlement saw each group member receive around $2400 and the lead plaintiff, Tracy Evans, around $10,000 for her stress and burden as the representative plaintiff.
Following the success of the NSW Ambulance class action, and the strong trajectory for privacy class actions in the future, a class action in relation to a Service NSW data breach is being investigated.
The potential class action is still in its early stages but is the subject of a Service NSW data breach that exposed the person and health information of more than 100,000 people. The data breach compromised an expo sure of 47 Service NSW staff email inboxes to hackers.
Historical review of OAIC decisions
A review was undertaken of all published OAIC decisions found within the Australian Information Commissioner's database.19 The data set encompassed all relevant cases reported from the current year (October 2021) back to 2016 and we set out below all cases where a monetary penalty was awarded following the establishment of a breach.
|
Date
|
Case
|
Summary
|
Award
|
|
2021 (August)
|
'XU' and Amazan Australia Services Inc ( Privacy )20
|
Disclosure to a third party without consent. Whether such disclosure was reasonably necessary. Complainant sought damages in aggravation, as well as for economic and non‑economic loss.
|
$3000 non‑economic loss. Nil other.
|
|
2021 (June)
|
'XH' and 'XI' (Privacy)21
|
Privacy, Crimes Act 1914 (Cth), Quashed Convictions Scheme. Disclosure of a quashed conviction without complainant's consent. Sought damages for non-economic loss and aggravated damages.
|
$2500 in non-economic loss. Nil other.
|
|
2021 (April)
|
'WZ' and CEO of Services Australia (Privacy)22
|
Privacy, respondent disclosed residential address of complainant to a former partner. History of domestic violence. Complainant had previously notified respondent of separation. Sought both economic and non-economic damages, as well as an award for reasonably incurred expenses.
|
$10,000 awarded for non‑economic loss, $8000 for legal expenses, $1980 incurred expenses.
|
|
|
'XA' and CEO of Services Australia (Privacy)23
|
|
|
|
2021 (January)
|
'WP' and Secretary to the Department of Home Affairs (Privacy)24
|
Data security failure, unauthorised disclosure of personal information. Embedded within standardised documentation was access to class member's information. Solicitors for the representative complainants seek compensation for both economic and non-economic losses on behalf of all class members.
|
Max compensation for non‑economic loss $20,000. Economic loss follows a case by case calculation. Further process for determining any dispute regarding the entitlement of a class member to the payment.
|
|
2020 (December)
|
'WG' and Australian Super Pty Ltd (Privacy)25
|
Personal information disclosed to former lawyers, failure to take reasonable steps to keep personal information up-to-date. Compensation sought for aggravated damages and non-economic loss
|
Awarded for non‑economic loss $4500. Nil other.
|
|
2020 (November)
|
'WC' and Chief of Defence Force (Privacy)26
|
Spent convictions scheme, Australian Defence Force breached s 85ZW(b)(ii) of the Crimes Act 1919 (Cth) in taking into consideration a spent conviction when terminating complainants employment as an officer.
|
Compensation for non‑economic loss, $6000. Compensation for reasonably incurred expense, $4850.
|
|
2020 (September)
|
'VJ', 'VK', 'VL' and 'VM'27
|
Psychologist's delayed access to personal information, furthermore failed to take such steps that are reasonable in the circumstances to protect said information.
|
'VJ' awarded $3000 in noneconomic loss, $1500 in aggravated damages. 'VL' awarded $2000 for non-economic loss and $1500 for aggravated damages.
|
|
2020 (September)
|
'VN' and 'VM'28
|
Same facts as above.
|
Damages for non‑economic loss totalled $3000. Aggravated damages, $3000. Economic loss, $295.
|
|
2020 (September)
|
'VQ' and Secretary to the Department of Home Affairs (Privacy)29
|
Use and disclosure of complainant's spent convictions, and disclosure of inaccurate personal information by the respondent.
|
$2500 for non-economic loss.
|
|
2020 (August)
|
'VI' and CS/RO (Privacy)30
|
Personal information provided for workers compensation claim, used for an employee's workplace grievance, sensitive medical information accessed. Sought compensation for noneconomic loss.
|
No monetary compensation, apology ordered instead.
|
|
2020 (June)
|
'SD' and 'SE' and Northside Clinic (Vic) Pty Ltd31
|
Disclosure to incorrect email address, sensitive medical information.
|
Compensation for non‑economic loss $3000.
|
|
2020 (June)
|
'SF' and 'SG' (Privacy)32
|
Treating psychologist - failure to provide access to personal information, failed to state reasons for refusal in writing.
|
Order for aggravated damages, $2000. Non-economic loss, $3000.
|
|
2020 (June)
|
'ST' and Chief Executive Officer of Services Australia (Privacy)33
|
Disclosure for tribunal proceedings, whether authorised by or under law.
|
$3000 in non-economic damages awarded.
|
|
2019 (August)
|
'RC' and TICA Default Ten ancy Control Pty Ltd (Privacy)34
|
Definition of personal information, collection of personal information. Collecting personal information about the complainant from a third party without taking reasonable steps to ensure awareness.
|
Compensation awarded for non economic loss, $1500. Declaration that respondent must take specified steps.
|
|
2019 (June)
|
"QP' and the Commonwealth Bank of Australia Ltd (Privacy )35
|
Respondent used and disclosed personal information about the complainant which was inaccurate.
|
Non-economic loss awarded, $15,000.
|
|
2019 (May)
|
'QF' and Spotless Group Ltd (Privacy)36
|
Improper disclosure through a related entity, failure to protect personal information from misuse and unauthorised disclosure
|
Compensation awarded for both aggravated, economic and non-economic loss. Cost determined per complainant.
|
|
2017 (June)
|
'LU' and Department of Defence (Privacy)37
|
Data security failure, unauthorised use of sensitive data, failing to take reasonable security safeguards given the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse, contrary to the Information Privacy Principle.
|
Section 52(3) of the Privacy Act 1988 (Cth) compensation awarded, $3000. Further compensation under non‑economic loss. $10,000.
|
|
2017 (June)
|
'LS' and 'LT' (Privacy)38
|
Access to personal information. Therapist. Failure to give written reasons for refusal. Failure to consider steps to give access.
|
Non-economic loss awarded, $1000.
|
|
2017 (March)
|
'LB' and Comcare (Privacy)39
|
Data security failure, unauthorised disclosure of personal information. Disclosed on public website.
|
Awarded $20,000 in non‑economic loss, $3,000 under s 52(3) under the Privacy Act.
|
|
2016 (November)
|
'KB' and Veda Advantage Information Services and Solutions40
|
Failure to adequately store and secure credit card information of complainant. Failure to give written notice of correction of data.
|
Non-economic loss awarded, $10,000. Expenses reasonably incurred, $5830.
|
|
2016 (November)
|
'KA' and Commonwealth Bank of Australia41
|
Disclosure of personal information for reasons ultra vires. Failure to take reasonable steps to protect personal information.
|
$10,000 awarded for non‑economic loss.
|
|
2016 (September)
|
'JO' and Comcare42
|
Use or disclosure of personal information. Disclosing information about workplace injuries.
|
Non-economic loss awarded of $3000.
|
|
2016 (June)
|
'IY' and Business Services Brokers Pty t/as TeleChoice43
|
Not taking reasonable steps to protect her person information from interference. Not taking reasonable steps to destroy the information.
|
Compensation awarded non‑economic loss, $3500.
|
|
2016 (June)
|
'IX' and Business Services Brokers Pty t/as TeleChoice44
|
Not taking reasonable steps to protect her person information from interference. Not taking reasonable steps to destroy the information.
|
Compensation awarded non‑economic loss, $3500.
|
|
2016 (June)
|
'N' and 'IW'45
|
Disclosure of complainant's personal information to third parties. Disclosure of medical practitioner of patient's medical record.
|
Compensation awarded, non‑economic loss $10,000.
|
|
2016 (June)
|
'IQ' and NRMA Insurance, Insurance Australia Ltd46
|
Disclosed private information to third parties.
|
Awarded non‑economic $2000.
|
|
2016 (June)
|
'IR' and NRMA Insurance, Insurance Australia Ltd47
|
Disclosed private information to third parties.
|
Awarded non‑economic $3000.
|
Conclusion
APP entities should treat the WP table as a tariff table pending further developments.
END NOTES
1. 'WP' and Secretary to the Department of Home Affairs (Privacy) AICmr 2.
2. Australian Competition and Consumer Commission Digital Platform Inquiry Final Report (June 2019) Recommendation 16(e).
3. Office of the Australian Information Commissioner, Privacy Act Review Issues Paper Submission - Part 10: Direct right of action, 2020, www.oaic.gov.au/privacy/the-privacy-act/review of-the-privacy-act/privacy-act-review-issues-paper-submission/ part-10.
4. Privacy Act 1989 (Cth), s 6.
5. For example, see Australian Licenced Aircraft Engineers Association v Virgin Australia Airlines Pty Ltd NSD1040/2021 (filed on 6 October 2021 in Federal Court of Australia, New South Wales Registry) where the Australian Licensed Aircraft Engineers Association sues Virgin Australia Airlines Pty Ltd (Virgin) for allegedly breaching the Privacy Act, above and APPs and are seeking pecuniary penalties relating to the alleged breached, injunctions restraining Virgin from collecting or ordering its staff to provide their IHis, and orders requiring the airline to delete or redact any IHis it currently has in its possession.
6. March v E & MH Stramare Pty Ltd (1991) 171 CLR 506; 99 ALR 423; BC9102636.
7. Livingstone v Raywards Coal Co [1880] 5 App Cas 25.
8. Berkeley Challenge Pty Ltd v Howarth [2013] NSWCA 370; BC201314514
9. Above n 1, at [7].
10. Above n 1, at [10].
11. Above n 1, at [6].
12. Above n 1, at [22].
13. Above n 1, at [3].
14. Above n 1, at [17].
15. Above n 1, at [3].
16. Above n 1, at [85].
17. Above n 1, at [86].
18. Evans v Health Administration Corp [2019] NSWSC 1781; BC201911743.
19. AustLii, Australian Information Commissioner, www7.austlii. edu.au/cgi-bin/viewtoc/au/cases/cth/AICmr/2021/.
'XU' and Amazon Australia Services Inc (Privacy) [2021]
20. 'XU' and Amazon Australia Services Inc (Privacy) [2021] AICmr 42.
21. 'XH' and 'XI' (Privacy) [2021] AICmr 23.
22. 'WZ' and CEO of Services Australia (Privacy) [2021] AICmr 12.
23. 'XA 'and CEO of Services Australia (Privacy) [2021] AICmr 13.
24. Above n 1.
25. 'WG' and AustralianSuper Pty Ltd (Privacy) [2020] AICmr 64.
26. 'WC' and Chief of Defence Force (Privacy) [2020] AICmr 60.
27. 'VJ', 'VK', 'VL' and 'VM' (Privacy) [2020] AICmr 45.
28. VN' and 'VM' [2020] AICmr 46.
29. 'VQ 'and Secretary to the Department of Home Affairs (Privacy) [2020] AICmr 49.
30. 'VI' and CS/RO (Privacy) [2020] AICmr 44.
31. 'SD' and 'SE' and Northside Clinic (Vic) Pty Ltd [2020] AICmr 21.
32. 'SF' and 'SG' (Privacy) [2020] AICmr 22.
33. 'ST' and Chief Executive Officer of Services Australia (Privacy)[2020] AICmr 30.
34. 'RC' and TICA Default Tenancy Control Pty Ltd (Privacy)[2019] AICmr 60.
35. 'QP' and the Commonwealth Bank of Australia Ltd (Privacy) [2019] AICmr 48.
36. 'QF' and Spotless Group Ltd (Privacy) [2019] AICmr 20.
37. 'LU' and Department of Defence (Privacy) [2017] AICmr 61.
38. 'LS' and 'LT' (Privacy) [2017] AICmr 60.
39. 'LB' and Comcare (Privacy) [2017] AICmr 28.
40. 'KB' and Veda Advantage Information Services and Solutions [2016] AICmr 81.
41. 'KA' and Commonwealth Bank of Australia [2016] AICmr 80.
42. 'JO' and Comcare [2016] AICmr 64
43. 'IY' and Business Services Brokers Pty tlas TeleChoice [2016] AICmr 44.
44. 'IX' and Business Services Brokers Pty t/as TeleChoice [2016] AICmr 44.
45. 'N' and 'IW' [2016] AICmr 41.
46. 'IQ' and NRMA Insurance, Insurance Australia Ltd [2016] AICmr 36.
47. 'IR' and NRMA Insurance, Insurance Australia Ltd [2016] AICmr 37.