Claimants in Australia face a number of challenges to successfully bringing a privacy class action, including the absence of a clear cause of action and difficulties in quantifying loss. Despite the challenges, on 9 December 2019, the Supreme Court of NSW in Evans v Health Administration Corporation approved a $275,000 settlement as fair and reasonable in Australia’s first data breach class action. The settlement saw each group member receive around $2,400 and the lead plaintiff, Tracy Evans, around $10,000 for her stress and burden as the representative plaintiff.

Hurdles to future class actions

The current Australian regime does not provide individuals with a specific statutory right comparable to that in the UK and the US to make a claim for breach of privacy. Currently, individuals have the right to:

  • make an individual or representative complaint to the Office of the Australian Information Commissioner under the Privacy Act 1988 (Cth). The Information Commissioner is the only person with standing to bring a claim; or
  • commence legal proceedings on the basis of other statutes, common law and equitable causes of action, depending on the relationship between the claimant and the offending entity.

The challenges faced by claimants are further exacerbated by the High Court’s decision in ABC v Lenah Game Meats Pty Ltd, in which the Court declined to recognise the existence of a tort of privacy, but suggested that, in appropriate circumstances, it may be recognised in the future. It is likely that claimants will continue to allege the existence of a tort of privacy, until it is revisited by a superior court.

Another hurdle to future litigation is the critical issue of proving and quantifying loss by claimants, which is particularly difficult in cases of non-economic loss. This is also a complex issue that offending entities and insurers need to grapple with.

In recent years, we have seen an increased legislative focus on data protection and dissemination. In 2018, the Notifiable Data Breaches scheme came into force, which requires mandatory notification of data breaches by businesses with an annual turnover of over $3 million.

In September 2019, the Commonwealth government introduced a ‘Consumer Data Right’ bill which would enable consumers to have greater access and control to data held about them by businesses.

This increased focus on data protection and management is likely to pave the way for the future introduction of a statutory cause of action enabling consumers to claim damages for mismanagement of their data and provide better certainty to businesses and insurers in quantifying loss.

Incidental risks

A data breach may also trigger a securities class action if the breach is not adequately managed. Under ASX Listing Rule 3.1, publicly listed companies must disclose data breaches to the ASX where they would reasonably be expected to have a material effect on the value of securities.

The case

In 2013, Waqar Malik (Mr Malik), a contractor for Ambulance NSW, unlawfully accessed and sold sensitive information of over 100 Ambulance NSW staff, including workers compensation files and medical records to personal injury law firms. Mr Malik was convicted in 2015 for unlawfully disclosing confidential information.

In December 2017, the Plaintiffs commenced a class action against Ambulance NSW and Mr Malik. The claim against Ambulance NSW rested on a number of causes of action including breach of confidence in equity, breach of contract, misleading and deceptive conduct under the Australian Consumer Law, and breach of a tort of invasion of privacy by Mr Malik for which Ambulance NSW was liable or vicariously liable.

Reasonableness of the settlement

The Court was assisted by a confidential opinion provided by the Plaintiffs’ counsel in determining whether the settlement was fair and reasonable (Confidential Opinion). Amongst other things, the Confidential Opinion canvassed various risks associated with pursuing a privacy class action to trial, including that:

  • it is presently undecided in NSW whether an equitable cause of action for breach of confidence will give rise to damages or equitable compensation for mental distress falling short of psychiatric illness;
  • there is currently no recognised tort of invasion of privacy in Australia (contrary to developments in New Zealand and the UK);
  • Ambulance NSW may contend that it is not vicariously liable for Mr Malik’s actions as a contractor; and
  • in relation to the misleading or deceptive conduct claim, Ambulance NSW may contend that its dealings with its employees are not in trade or commerce, and therefore not covered by either sections 18 or 29 of the Australian Consumer Law.