Head office - Melbourne +61 3 8636 9100
Sydney office +61 2 9238 8028

Compensation for Privacy Breaches

The Optus data breach involving the disclosure of personal information of about 10 million Optus customers, exposes Optus to claims for compensation under the Privacy Act 1988 (Cth) (‘Privacy Act’) and also to possible claims for breach of contract, negligence and contravention of the Australian Consumer Law.  Stephens Lawyers & Consultants is assisting individuals with responding to the Optus privacy breach.

Individuals seeking compensation under the Privacy Act have 12 months from becoming aware of the privacy breach to make the claim against Optus. If a compensation claim under the Privacy Act cannot be resolved directly with Optus, individuals can file a complaint with the Office of the Australian Information Commissioner (OAIC) for determination.  A claim for compensation for a privacy breach may include a claim for associated stress and anxiety, reasonable expenses incurred and financial loss resulting from the breach. However, it is important that individuals take reasonable steps to mitigate the risk of loss. This may involve replacing passports, driver’s licences, credit cards and other identification documents and changing passwords.  If making a claim for compensation it is important that individuals keep accurate records of how the breach has impacted them and the time and costs involved in dealing with the data breach and mitigating their potential losses.

Privacy Commissioner compensation determinations – 2020 – 2022

Stephens Lawyers & Consultants provides a review of the compensation awarded in determinations made during the years 2020 – September 2022 by the Office of the Australian Information Privacy Commissioner (‘Privacy Commissioner’) in relation to privacy breaches and some of the factors taken into account by the Privacy Commissioner in awarding compensation and costs. Although the reported individual compensation awards have not been significant to date, ranging from $1,000 to $20,000 for each privacy breach, the overall compensation that may be payable by an organisation could be in the hundreds of millions, particularly where the breach involves the data of a large number of individuals. [To read Stephens Lawyers & Consultant’s Review of Compensation Awarded in Determinations made by the Privacy Commissioner during the period 2020 – September 2022 see here.]

Compensation under the Privacy Act 1988 (Cth)

Under the Privacy Act 1988 (Cth), individuals have the right to make complaints to the Privacy Commissioner if they believe that their privacy has been breached by an organisation.[i] The Privacy Commissioner must then investigate the complaint and make a finding about whether the individual’s privacy has been breached.[ii]  If the Privacy Commissioner finds that there has been a privacy breach, the Commissioner has the power to make a determination that certain remedies be provided to the individual whose privacy has been breached, including requiring the organisation to pay compensation to the individual whose privacy has been breached.[iii] In the case of complaints involving claims for compensation for a privacy breach, the Privacy Commissioner will not deal with the claim unless the individual has first made a claim directly to the organisation involved in the breach. [iv]

In recent cases, the remedies awarded by the Privacy Commissioner have included the following:

  1. An apology.
  2. A requirement that the organisation adopts and implements particular remedial measures in response to privacy breaches.
  3. A requirement that the agency reviews its privacy/information handling policies and procedures and conduct staff training.
  4. A requirement that the agency reviews new remedial measures adopted and reports the findings of that review to the OAIC.
  5. Compensation for non-economic loss.
  6. Reimbursement of reasonably incurred expenses including reasonable legal costs associated with making a claim for compensation.

The Privacy Commissioner can also apply to the Federal Court or Federal Circuit Court for an order requiring an entity to pay a fine for certain privacy breaches or breaches of the credit reporting provisions under the Act. Depending on the type of breach, the fine can range from $525,000 to $2.1 million for a body corporate and from $105,000 to $420,000 for any other entity[v].

If an entity is fined for a privacy breach or breach of the credit reporting provisions, then an individual who has suffered loss or damage as a result of the breach can make an application to the Federal Court or the Federal Circuit Court for a compensation order for loss or damage suffered including injury to feelings and humiliation and economic loss[vi].

Authored by Katarina Klaric, Principal, Stephens Lawyers & Consultants

© Stephens Lawyers & Consultants; 28 September 2022.

This update is not intended to be a substitute for obtaining legal advice. 

For further information contact:

Katarina Klaric
Principal
Stephens Lawyers & Consultants

Suite 205, 546 Collins Street
Melbourne VIC 3000
Phone: (03) 8636 9100
Fax: (03) 8636 9199
Email: [email protected] 
Website: www.stephens.com.au 

All Correspondence to:
PO Box 16010
Collins Street West
Melbourne VIC 8007

[i] Privacy Act 1988 (Cth), s 36

[ii] Privacy Act 1988 (Cth), s 40(1)

[iii] Privacy Act 1988 (Cth), s 52

[iv] Privacy Act 1988 (Cth), s 40(1A)

[v] Privacy Act 1988 (Cth), s 6, s 13, s 13G, s 80Q and s 80U; See Crimes Act 1914 (Cth) s 4AA for the amount of a penalty unit.

[vi] Privacy Act 1988 (Cth), Part IIIA, s 20E