Legal Update: March 2020
Data breaches involving an individual’s personal, medical and financial/credit information can result in reputational damage and financial losses. The Australian privacy law provides for an individual affected by a data privacy breach to seek compensation from the organisation involved in the breach. The individual may also have claims for the data privacy breach based on breach of contract, negligence and/or contravention of the Australian Consumer Law. Entities can also be fined for serious and repeated privacy breaches.
Compensation for Privacy Breach
Stephens Lawyers & Consultants provides a review of the compensation awards in determinations made by the Office of the Australian Information Privacy Commissioner (“Privacy Commissioner”) for privacy breaches[i]. [Read our Review and Case Summaries – updated July 2020]
In addition to awarding compensation for non-economic loss for reputational damage, stress, injury to feelings and humiliation caused by the privacy breach, the Privacy Commissioner’s determinations have included the following remedies:
- An apology.
- A requirement that the organisation adopts and implements particular remedial measures in response to privacy breaches.
- A requirement that the organisation reviews its privacy/information handling policies and procedures and conduct staff training and make necessary changes to ensure information is accurate, complete and up-to-date.
- A requirement that the organisation undertake an independent audit of its policies and operation processes.
- A requirement that the organisation reviews new remedial measures adopted and reports the findings of that review to the OAIC.
- Reimbursement of reasonably incurred costs and expenses.
Although the reported individual compensation awards have not been significant to date, ranging from $1,000 to $20,000 for non-economic loss for each privacy breach, the overall compensation that may be payable by an organisation could be in the hundreds of millions, particularly where the breach involves the data of a large number of individuals. The Privacy Commissioner can also award compensation for economic loss.
Katarina Klaric, Principal at Stephens Lawyers & Consultants, predicts that in 2020 there will be a significant increase in the number of class actions commenced in Australia against companies claiming compensation for data security breaches involving personal and confidential information of individuals.
In the United States a class action has been commenced against Marriott International in relation to a data breach incident, alleging negligence, breach of confidence and deceptive and unfair trade practices and claiming compensation for the injury suffered including anxiety, emotional distress, loss of privacy, non-economic and economic loss[ii].
The data security incident involved Marriott International’s Starwood hotels guest reservation database containing the personal information of up to 386 million guests, including names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest (“SPG”) account information, dates of birth, gender, arrival and departure information, reservation dates, and communication preferences[iii]. Australian residents who were of Starwood hotels were affected by the breach. Marriott International lost its bid to strike out the claim in 2019.
Penalties for Privacy Breach
The Australian Privacy Commissioner can also apply to the Federal Court or Federal Circuit Court for an order requiring an entity to pay a pecuniary penalty for certain privacy breaches or breaches of the credit reporting provisions under the Privacy Act 1988 (Cth). Depending on the type of breach, the fine can range from $525,000 to $2.1 million for a body corporate and from $105,000 to $420,000 for any other entity[iv].
On 9 March 2020, the Privacy Commissioner commenced proceedings in the Federal Court of Australia against Facebook Inc and Facebook Ireland seeking the orders that Facebook pays civil pecuniary penalties for privacy breaches[v]. During the time of the alleged breach, each contravention attracted a maximum penalty of $1.7 million.
The Privacy Commissioner alleges that:
- During the period between 12 March 2014 and 1 May 2015 Facebook seriously and/or repeatedly interfered with the privacy of approximately 311,127 Australian Facebook Users by disclosing their personal information (including sensitive information) to a third party application, “This is Your Digital Life” App, whose developers on sold the personal information to the political consulting firm Cambridge Analytica. As a result individuals’ information was exposed to risk of disclosure, monetization and use for political profiling.
- Facebook breached Australian Privacy Principle (AAP) 6 by disclosing the personal information for purposes other than those for which it was collected.
- Facebook breached APP 11 by failing to take reasonable steps to protect the individuals’ personal information.
At the date of commencement of court proceedings, Facebook had failed to provide the Privacy Commissioner with the precise record of the individuals’ personal information which has been disclosed to the “This is Your Life” App’s developers, further indicating deficiencies in Facebook’s systems for the protection of personal information from unauthorized disclosure[vi].
The Australian Privacy Commissioner’s court action against Facebook follows significant penalties being imposed by privacy regulators in the United States, UK and in Europe.
The Australian Privacy Commissioner is still investigating the Marriott International data privacy breach. However other privacy regulators have already issued penalty notifications.
The UK Information Commissioner’s Office (ICO) issued a notification to Marriot International of its intention to impose a fine of £99,200,396 for infringement of the General Data Protection Regulations (“GDPR”) for the data security breach involving the Starwood guest reservation database incident. Marriott International has the right to respond before any final determination is made and a fine can be issued by the ICO[vii].
Authored by Katarina Klaric
© Stephens Lawyers & Consultants. 9 March 2020.
This update is not intended to be a substitute for obtaining legal advice.
For further information contact:
Stephens Lawyers & Consultants
Suite 205, 546 Collins Street
Melbourne VIC 3000
Phone: (03) 8636 9100
Fax: (03) 8636 9199
All Correspondence to:
PO Box 16010
Collins Street West
Melbourne VIC 8007
[i] OAIC Determinations webpage https://www.oaic.gov.au/privacy-law/determinations/
[ii] Bell and Claffy v Marriott International, Inc. Case 8:18-cv-03684-PX (30 November 2018), US District Court. Maryland District. https://www.scribd.com/document/394570724/Complaint-Against-Marriott-by-Morgan-Morgan#from_embed?campaign=SkimbitLtd&ad_group=88665X1541752X324bd36c0c01054ac57da6966c6a3c39&keyword=660149026&source=hp_affiliate&medium=affiliate
[iii] Marriott International, Original notice of Starwood Guest Reservation Database Security Incident issued by Marriott International on 30 November 2018 and updated on 4 January 2019 https://answers.kroll.com/?gclid=CNimmt284t8CFY3S1AodI3YNVQ&gclsrc=ds
[iv] Privacy Act 1988 (Cth), s 6, s13, s13G and s 80U; See Crimes Act 1914 (Cth) s 4AA for the amount of a penalty unit.
[v] Australian Information Commissioner v Facebook In. & Anor NSD 246/2020.
[vi] Ibid. Concise Statement filed in Federal Court.
[vii] Statement: Intention to fine Marriott International, Inc more than £99 million under GDPR for data breach, UK Information Commissioner’s Office, 9 July 2019 https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/statement-intention-to-fine-marriott-international-inc-more-than-99-million-under-gdpr-for-data-breach/