Spotlight: how are data protection laws enforced in Australia?

An extract from The Privacy, Data Protection and Cybersecurity Law Review, 8th Edition

Public and private enforcement

i Enforcement agenciesThe OAIC

The regulator responsible for enforcing the Privacy Act is the OAIC.

If an individual makes a privacy complaint, the OAIC has the power to attempt, by conciliation, to effect a settlement of the matter. The OAIC can also make a determination that:

1. the entity has interfered with the privacy of an individual and must cease the conduct;
2. the individual is entitled to compensation for loss or damage suffered (including for injury to feelings or for humiliation); and
3. the entity must take reasonable actions to redress any loss or damage suffered by the individual.

Where such a determination is made, the individual or the OAIC may commence proceedings in court to enforce the determination.

The OAIC also has the power to accept enforceable undertakings from entities under investigation. These undertakings are enforceable by the OAIC in the Federal Court. An enforceable undertaking may be offered by the entity in the course of resolving an OAIC investigation.

The OAIC also has the power to audit organisations, develop and register binding privacy codes and seek injunctive relief in respect of contraventions of the Privacy Act.

Finally, the OAIC may apply to the Federal Court or Federal Circuit Court for a penalty (currently, up to A$444,000 for individuals or A$2.22 million for corporations) to be imposed for 'serious' or 'repeated' interferences with privacy. These penalties constitute regulatory fines and cannot be used to compensate individuals for breaches of the Privacy Act. Pecuniary penalties had never been sought until 2020, when the OAIC commenced proceedings against Facebook. The proceedings are ongoing, but it seems the OAIC may attempt to seek the maximum penalty of A$2.22 million in relation to each individual severe breach of the APPs. These proceedings against Facebook are discussed in more detail below.

Other regulators

Privacy and data security issues are increasingly coming under scrutiny from other regulators. The ACCC is increasingly taking action on privacy and data handling issues under its competition and consumer law powers. Further, in an Australian first, the corporate and financial services regulator (ASIC) recently commenced proceedings alleging that various cybersecurity issues gave rise to breaches of the Corporations Act 2001 (Cth).³⁴

In addition, APRA, the body charged with overseeing banks, insurers and superannuation entities to promote financial stability in Australia, has enacted various prudential standards placing comprehensive cybersecurity obligations on regulated entities. APRA is active in enforcing these requirements (see Section IX).

ii Recent enforcement casesOAIC determination against Uber³⁵

In July 2021, the OAIC published its determination against Uber Technologies, Inc and Uber BV, which found that they interfered with the privacy of an estimated 1.2 million Australians by failing to comply with:

1. the requirement in APP 11.1 to take reasonable steps to protect personal information against unauthorised access; and
2. the requirement in APP 11.2 to take reasonable steps to delete or de-identify personal information that is no longer needed for a permitted purpose.

The OAIC also found that the Uber companies failed to comply with the requirement in APP 1.2 to take reasonable steps to implement practices, procedures and systems to ensure compliance with the APPs.

The OAIC's investigation into Uber was prompted by a cyberattack experienced by Uber in 2016.

The OAIC made a number of declarations, including that the Uber companies must prepare relevant policies (such as data retention and destruction policies) and engage an independent third party to report on compliance.

The OAIC did not award compensation, stating that it is not authorised under the Privacy Act to award compensation simply because an organisation has breached the Act – an affected individual must supply evidence of loss or damage to be entitled to a remedy.

OAIC determination against the Department of Home Affairs³⁶

In January 2021, the OAIC published its determination against the Department of Home Affairs (a federal government agency), which found that the Department had interfered with the privacy of 9,231 detainees in immigration detention by mistakenly publishing their information on a public website. This was determined to be an unauthorised disclosure of personal information and a failure to take reasonable steps to protect personal information.

This determination is significant because it was the first representative action where the OAIC awarded compensation for non-economic loss to individuals affected by a mass data breach. The compensation ranged from A$500 to A$20,000 per person, depending on the severity of the impact on each individual.

OAIC determination against Flight Centre³⁷

In December 2020, the OAIC published its determination against Flight Centre Travel Group Ltd, which found that Flight Centre had interfered with the privacy of almost 7,000 customers by failing to comply with:

1. the requirement in APP 1.2 to take reasonable steps to implement practices, procedures and systems to ensure compliance with the APPs;
2. the requirement in APP 6.1, by disclosing personal information to third parties without consent, for a purpose other than the primary purpose of collection; and
3. the requirement in APP 11.1 to take reasonable steps to protect personal information against misuse and loss and from unauthorised access, modification or disclosure.

Flight Centre had accidentally disclosed personal information (including credit card and passport information) to third parties without consent, during a 'design jam'.

The OAIC declared that Flight Centre must not repeat the conduct but did not take any other action (perhaps due to Flight Centre's prompt response to the incident, cooperation with the OAIC and attempts to lessen the impact on individuals (including by making payments to replace passports)).

As mentioned above, this determination has implications for data collection and use practices (see Section III.ii).

ACCC proceedings against Google in relation to location data

In 2020, the ACCC commenced proceedings against Google LLC,³⁸ alleging it had engaged in misleading conduct and had made false representations to consumers about how and when it collects and uses their personal information in relation to location data. It was the first case brought globally to probe Google's approach to location data collection.

In April 2021, the Federal Court of Australia found that Google did engage in misleading conduct because of the way it presented its collection, storage and use of users' personal location data in its privacy statements.

The Court's finding makes clear to businesses that representations made in their privacy policies and privacy settings could lead to liability under the ACL.

The ACCC has also commenced a second misleading conduct case against Google in relation to the 2016 changes to its privacy policies regarding its decision to combine DoubleClick data with other user data held by Google. This second case is listed for hearing at the end of 2021.

OAIC proceedings against Facebook following the Cambridge Analytica scandal³⁹

In March 2020, the OAIC commenced proceedings against Facebook, Inc and Facebook Ireland Ltd (Facebook) for breaches of the APPs identified by the OAIC following the Cambridge Analytica scandal.

The OAIC is alleging that Facebook breached, in relation to 311,127 Australian Facebook users, both:

1. APP 6.1, by disclosing personal information for a purpose other than the primary purpose of collection, without obtaining adequate consent or otherwise ensuring the users were adequately informed of the disclosures that would occur; and
2. APP 11.1, by failing to have adequate practices and systems in place to ensure information was being disclosed appropriately.

The case is still ongoing and will likely have major implications for digital businesses operating from offshore entities. Critically, this case will set precedents for determining both the quantum of future penalties under, and the scope of the extraterritorial application of, the Privacy Act.

iii Private litigation

In general, privacy legislation is only enforceable in Australia by the relevant authority. However, some limited private rights of action do exist; particularly, a general right under the Privacy Act for anyone to seek an injunction to restrain conduct that would be a contravention of the Act.⁴⁰