Insight,

Privacy,

Representative complaints under the Australian Privacy Act – recent developments

20 March 2024

Our People
GLOBAL | EN
Current site :    GLOBAL   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

TL;DR:

Data breach litigation in Australia is a relatively new occurrence. 

The courts have recently decided that a multiplicity of court cases and administrative investigations into the same incident may run in parallel. 

In the one administrative investigation of a representative complaint which has reached the stage of assessing damages payable to class members, an individualised approach was taken which may prove to be both expensive and time consuming.  The entity responsible for the data breach must pay for the cost of the assessment process in addition to the damages that are assessed.  This can be contrasted with the typical approach in class action settlements approved by the courts, in which a total sum of damages is awarded, and the expense of the process of assessing how that sum is to be allocated between members of the class is deducted from the settlement sum.

We can expect plaintiff lawyers to follow the outcomes achieved under the different kinds of actions (class actions in court, representative complaints to the Office of the Australian Information Commissioner (OAIC) and own-motion investigations by the OAIC), and take them into account when considering what kind of case to bring in relation to future large scale data breaches.

----

Given the number of data breaches that have been reported to the Office of the Australian Information Commissioner since the mandatory data breach reporting regime took effect in 2018, it is surprising that there has been a limited number of cases that have explored the representative complaints regime under the Privacy Act 1988 (Cth). 

Justice Beach of the Federal Court of Australia has decided two cases within the space of a week, both arising from large scale cyber incidents, that will assist privacy professionals better understand the legal contours of the representative complaints regime.  The first in time, Medibank v Australian Information Commissioner, considered whether a representative complaint before the Commissioner should be deferred until a consumer class action filed under Part IVA of the Federal Court of Australia Act had been determined.  And the second, Foley v Australian Information Commissioner, considered whether the Commissioner was precluded from investigating a second representative complaint into the same incident once one investigation was underway. 

These decisions follow the September 2023 decision of Justice Perry of the Federal Court of Australia, sitting in the Administrative Appeals Tribunal in a merits review of a decision by the Information Commissioner, in relation to the approach to assessment of damages payable by the Department of Home Affairs in a representative complaint made on behalf of a group of asylum seekers whose information had been mistakenly disclosed by the Department in an incident that occurred in 2014 (HYYL v Privacy Commissioner).

The key points to emerge from this trio of cases are:

  • The Privacy Act permits multiple representative complaints to be filed in respect of the same incident. The Commissioner is not required to investigate only the representative complaint that is filed first in time. Rather, each must be investigated and the Commissioner has discretion to (a) determine that a complaint should no longer continue as a representative complaint if one of the criteria set out in section 38A(2) applies, and (b) decide not to investigate, or not to investigate further, any of the representative complaints for any of the ordinary reasons available under section 41.
  • If multiple complaints are investigated in respect of the same incident (including an own-motion investigation and one or more representative complaints), the Commissioner may make determinations in respect of each complaint, but has power to ensure that class members are not compensated twice for the same loss by exercising powers under subsection 52(4) and (5). These provisions empower the Commissioner to provide for payments to be worked out in a manner specified by the Commissioner.
  • If representative proceedings have been filed in the Federal Court in respect of an incident, the existence of those proceedings does not mean that the Commissioner must cease investigating a representative complaint or pursuing an own-motion investigation. It would only be appropriate for the court to restrain the Commissioner’s investigation if there was a real and definitive tendency to prejudice or embarrass that Federal Court proceedings.  This is a high bar.
  • In the HYYL case, the AAT (standing in the shoes of the Commissioner in a merits review case) showed a strong preference for individualised justice when working out the amounts to be paid to class members of a successful representative complaint. The Tribunal decided that each class member should fall into one of 5 categories, depending on the kind of damage proved by the individual, with a particular range of damages available for each category.  Further, the Tribunal considered that it was appropriate that each individual’s damages be assessed on a spectrum against other individuals within each category.  The entity responsible for the data breach (the Department of Home Affairs) was required to fund the assessment process in addition to the damages payable to the class members.  The expenses associated with this kind of individualised assessment process could well represent a high percentage of the total damages awarded to all members of the class, and it will clearly take a considerable time for the claims of all class members to be assessed.  The HYYL case involved approximately 5,000 class members (although less than 2,000 submitted evidence of loss to the OAIC).  This kind of individualised approach could be highly burdensome with larger class sizes, and we predict that respondents in other cases will push for a faster and more efficient process, even if it may result in the respondent paying more to class members than they would have through a highly individualised approach.  The approach of the Tribunal in this case can be contrasted with the typical approach in class action settlements approved by the courts, in which a total sum of damages is awarded, and the expense of the process of assessing how that sum is to be allocated between members of the class is deducted from the settlement sum.

In considering the interaction between the Commissioner’s determination making powers and court proceedings in relation to the same incident, Justice Beach considered the nature of the Commissioner’s powers in a much greater level of detail than other judicial cases have done to date.  Because the Commissioner is not a court, she may not exercise judicial power, which means that her determinations are not enforceable by themselves.  If a complainant or respondent disagrees with the Commissioner’s determination, they may appeal on the merits to the Administrative Appeals Tribunal (as occurred in the HYYL case) or seek judicial review of the Commissioner’s decision.  If the respondent fails to comply with a determination, the complaint and the Commissioner may apply to a federal court for an order to enforce the determination.  In that scenario, the court must conduct a hearing ‘de novo’ but may receive as evidence the Commissioner’s reasons for determination and a copy of any document that was before the Commissioner.  This much was generally known by Australian privacy lawyers.  But Justice Beach went further in his consideration of the nature of a determination by the Commissioner and stated that, in his opinion, the Court also has power under section 80W of the Privacy Act to grant an injunction in order to enforce certain aspects of the Commissioner’s determination if the respondent refuses to comply.  The relevant aspects of a determination that may be enforced in this manner are those that involve a declaration by the Commissioner that the respondent must do something (e.g. implement a remediation program, or publish a statement about the conduct that was investigated), or refrain from doing something.  Any person (including the Commissioner and a complainant or class member in a representative complaint) has standing to apply for such an injunction.  Of course, an injunction is a discretionary remedy, so a respondent would have an opportunity to argue that aspects of the Commissioner’s determination not be enforced by injunctive relief because it was made in error, or because it was otherwise inappropriate (e.g. because it would not be possible for a court to supervise the enforcement).

Categories

KEY CONTACTS

SHOW MORESHOW LESS
LATEST THINKING
Insight
Trade Volatility: Adopting a "Trump Majeure Clause" in Commercial Contracts
In today’s disrupted global trade environment, where policy shifts and trade sanctions can emerge unexpectedly, buyers and sellers of goods face heightened legal and financial uncertainty and risk. Sudden changes in trade laws, particularly tariffs and sanctions, can materially affect contract performance and pricing. To mitigate these risks, parties to commercial contracts may benefit from incorporating a tailored provision, which we shall refer to as the "Trump Majeure Clause" (TMC). The TMC is a hybrid of the traditional force majeure clause and a change in law clause, designed specifically to address disruptions caused by newly imposed tariffs or trade sanctions. Its purpose is to allow contractual flexibility in the face of government actions that frustrate the original purpose of entering into the agreement.

08 May 2025

Insight
Vietnam Sets the Stage for Carbon Trading
Vietnam has released an approved roadmap for a domestic carbon market, in a significant step towards achieving net-zero emissions by 2050. A phased approach will see a pilot start in June 2025, working towards full implementation by 2029.

05 May 2025

Insight
Climate governance & reporting trends of the ASX50 in 2024: Healthcare
It is estimated that the health system is responsible (either directly or indirectly) for 5% of Australia’s greenhouse gas emissions, with clinical care contributing to over half of greenhouse gas emissions produced by health systems.[2]

29 April 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
VIEW FROM ASIA
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies