Privacy compliance remains of major importance for businesses. Privacy breaches can have a significant impact on businesses and result in:
- Business disruption
- Significant costs in responding to a privacy breach
- Reputational damage
- Loss of valuable intellectual property/confidential information
- Loss of business and revenue
- Reduction in capital/share value of the business
- Substantial costs in regaining consumer confidence that the organisation can be trusted with personal information/data
- Regulatory fines and penalties, and
- Compensation claims by individuals/class actions.
In this update, Stephens Lawyers & Consultants provides an overview of the compensation awarded in determinations made during the period October 2022 – July 2024 by the Office of the Australian Information Privacy Commissioner (‘Privacy Commissioner’) in relation to privacy breaches and some of the factors taken into account by the Privacy Commissioner in awarding compensation and costs. Although the reported individual compensation awards have not been significant to date, the overall compensation that may be payable by an organisation could be in the hundreds of millions, particularly where the breach involves the data of a large number of individuals.
In addition, the Privacy and Other Legislation Amendment Bill 2024 (‘Bill’) is currently before the Australian Parliament. The Bill proposes the ‘first tranche’ of changes to the Privacy Act which will, if passed, introduce and strengthen the rights of individuals to directly claim compensation and remedies for privacy breaches including by:-
– introducing a statutory tort for serious invasions of privacy; and
– expanding the Australian Information Commissioner’s powers and options available to enforce the Privacy Act – including with new civil penalties and infringement notices for less serious privacy breaches.
With long-awaited privacy reforms now imminent, businesses cannot afford to be complacent about privacy compliance. It should be a priority for all organisations and businesses that collect or hold Australians’ personal information.
Compensation for Privacy Breaches determined by the Australian Information and Privacy Commissioner – Oct 2022 to July 2024
During the period of 2016 to July 2024 the awards for compensation for non-economic loss for privacy breaches have ranged from about $1,000 to $20,000 – with those awards made during October 2022 to July 2024 ranging from $1,500 to $3,000.
The OAIC privacy breach Determinations indicate the factors that are taken into account by the Australian Information Commissioner in deciding whether to make any compensation award for a privacy breach and the amount to be awarded. These factors include:-
- The type and sensitivity of the personal information disclosed;
- The number of people to whom the personal information has been disclosed – as well as evidence of the number and type of people who have actually accessed/seen it;
- The complainant’s reaction to the privacy breach – including level and duration of the hurt feelings, distress and anxiety resulting directly from the privacy breach – and the evidence supporting that (such as statutory declarations and, where relevant, medical/psychologist reports);
- Evidence of the actual costs/expenses incurred as a result of the privacy breach and the reasonableness of same;
- Evidence of any financial and other losses incurred as result of the privacy breach; and
- For an aggravated damages claim, the respondent’s conduct/behaviour upon being informed or becoming aware of the privacy breach – including any evidence showing if the respondent’s conduct was high handed, malicious, insulting or oppressive.
Each case is determined on its merits having regard to the documentary evidence submitted to the OAIC which supports the privacy breach and the claim for compensation.
Although, since 2016, the OAIC has been involved in the determination of many complaints involving privacy breaches, during the period October 2022 to July 2024 there have been only three (3) published determinations by the OAIC where compensation has been awarded. This suggests that the privacy breach complaints are being resolved, without the need to lodge a complaint with the OAIC or, where a complaint has been lodged with the OAIC, it has been resolved by conciliation.
The decline in OAIC Determinations for privacy breaches may also be as a result of a number of class actions having been commenced during 2022/2023 against Medicare and Optus alleging breach of contract and the Australian Consumer Law and negligence in respect of cybersecurity and data breaches.
Class actions
In 2023 a class action was commenced against Optus in the Federal Court of Australia on behalf of more than 100,000 registered individual participants, which include claims that Optus breached Australian consumer laws and failed in its duty of care to protect users from harm.
More recently, the Australian Information Commissioner filed civil penalty proceedings in the Federal Court of Australia against Medibank Private Limited (Medibank) for seriously or repeatedly interfering with the privacy of approximately 9.7 million individuals (comprising current and former Medibank customers)[i], whose personal information it held, by failing to take reasonable steps to protect that personal information from misuse, and/or from unauthorised access or disclosure:-
- in contravention of s 13G of the Privacy Act 1988 (Cth) (Act); and
- in breach of Australian Privacy Principle (APP) 11.1.[ii]
While it is up to the Federal Court to determine whether to make a civil penalty order against Medibank, if that determination is made, “the Federal Court can impose a civil penalty of up to $2,220,000 for each contravention of section 13G (as per the penalty rate applicable from March 2021 to October 2022)”[iii].
TO READ Stephens Lawyers & Consultants’ FULL review of compensation awarded in Determinations made during the period October 2022 – July 2024 and published by the Office of the Australian Information Commissioner (OAIC) in relation to privacy breaches – SEE HERE.
Disclaimer: This legal update is not intended to be a substitute for obtaining legal advice.
© Stephens Lawyers & Consultants – 15 October 2024 – Authored by Rochina Iannella, Consultant, Stephens Lawyers & Consultants. The contribution of Katarina Klaric, Principal, in editing this update is acknowledged.
For further information contact:
Katarina Klaric
Principal
Stephens Lawyers & Consultants
Melbourne Head Office
Suite 205, 546 Collins Street, Melbourne VIC 3000
Phone: (03) 8636 9100
Sydney Office
Level 29, Chifley Tower, 2 Chifley Square, Sydney, N.S.W. 2000
Phone: (02) 9238 8028
Email: [email protected]
Website: www.stephens.com.au
All Correspondence to:
PO Box 16010
Collins Street West
Melbourne VIC 8007
To register for newsletter updates and to send your comments and feedback, please email [email protected]
[i] OAIC, “OAIC takes civil penalty action against Medibank”, published 5 June 2024; OAIC website accessed 3 September 2024 ( OAIC takes civil penalty action against Medibank | OAIC )
[ii] OAIC, “Australian Information Commissioner v Medibank Private Limited Concise Statement” Par 1, OAIC website – published 5 June 2024; accessed 3 September 2024 ( Australian Information Commissioner v Medibank Private Limited concise statement (oaic.gov.au) )
[iii] Op Cit, “OAIC takes civil penalty action against Medibank”, published 5 June 2024; OAIC website accessed 3 September 2024