Home | Databases | WorldLII | Search | Feedback Precedent (Australian Lawyers Alliance)

Lessing, Meg; Birchall, Ebony --- "The 2014 Immigration Data Breach: A first in Australian privacy law" [2021] PrecedentAULA 51; (2021) 166 Precedent 10

THE 2014 IMMIGRATION DATA BREACH

A FIRST IN AUSTRALIAN PRIVACY LAW

By Meg Lessing and Dr Ebony Birchall

In February 2014, the then Department of Immigration and Border Protection (the Department) published the personal information of 9,258 people who were in immigration detention (Immigration Data Breach). One of those people made a representative complaint to the Office of the Australian Information Commissioner (OAIC) and, for the first time in history, the Australian Information Commissioner and Privacy Commissioner (the Commissioner) ordered that compensation be paid for a mass privacy breach. This article outlines the importance of the decision for those affected and its place within the present privacy law landscape.

A BACKGROUND TO PRIVACY LAW IN AUSTRALIA

The development of privacy law in Australia has been gradual. The law has not kept pace with increased interferences with personal privacy in a developing technological landscape, nor with society’s recognition of the importance of privacy as a right.

The primary legislative instrument governing privacy law in Australia is the Privacy Act 1988 (Cth) (Privacy Act). Among other things, the Privacy Act provides for the establishment of a Privacy Commissioner who can hear and determine complaints relating to interferences with privacy. At the time of its introduction, the Privacy Act was intended to provide an enforceable right to privacy and a practical means for persons affected by non-compliance with the Act to seek redress.^[1] The Commissioner has issued many determinations under the Privacy Act since its inception, primarily relating to individual complaints.

There has been some case law related to notions of privacy outside of the Privacy Act regime; however, superior courts in Australia have refrained from recognising any general enforceable right to privacy at common law.^[2] Commentators have often stated that the High Court has left open the possibility of developing a common law tort for interference with privacy,^[3] and such a right has been given some limited judicial recognition by the lower courts.^[4]

In the absence of, and sometimes in lieu of, the development of such a tort, courts have expanded the application of other causes of action. One such example is Giller v Procopets,^[5] in which the Victorian Court of Appeal awarded damages for emotional hurt from a partner’s unauthorised sharing of personal images on the basis of a claim for equitable breach of confidence. Recently, in what the Australian Competition & Consumer Commission (ACCC) described as a ‘world-first enforcement action’,^[6] the Federal Court found that Google had engaged in misleading and deceptive conduct under the Australian Consumer Law when it misled consumers about the collection of personal location data.^[7]

Additionally, Commonwealth and state commission bodies have conducted several reviews of privacy law over the last 25 years.^[8] In 2008, the Australian Law Reform Commission (ALRC) recommended the enactment of a general privacy action,^[9] the nature of which was expanded upon in a 2014 report.^[10] In that report the ALRC proposed the introduction of a new statutory cause of action in the form of a tort of serious invasion of privacy, which would not require proof of actual damage but would provide for damages for emotional distress. More recently, the statutory tort as formulated by the ALRC was endorsed by the ACCC in the context of its 2019 Digital Platforms Inquiry.^[11]

In response, the Australian Government announced a review of the Privacy Act. The terms of reference for the review include whether the Privacy Act effectively protects personal information; whether individuals should have direct rights of action to enforce privacy obligations under the Privacy Act; and whether a statutory tort for serious invasions of privacy should be introduced into Australian law.^[12] At the time of writing the Attorney-General’s department is considering submissions, with a discussion paper expected to be released later this year.

THE IMMIGRATION DATA BREACH

The breach occurred when the Department published a report on its website which inadvertently contained a link to a spreadsheet detailing personal information of all people within the detention network in Australia at that time. This information included names, dates of birth, citizenship statuses, locations, boat arrival details and periods of immigration detention.

People affected by the data breach made complaints to the OAIC in 2014 and a representative complaint under the Privacy Act was eventually commenced, covering all people whose information had been published in the data breach (known as ‘class members’). In 2018, the OAIC published a notice to all class members stating that people who had suffered loss or damage as a result of the data breach and who wanted the opportunity to make a claim for compensation needed to provide the Commissioner with a submission or evidence of their loss or damage by a specified deadline that year.

Slater and Gordon began acting in this matter in 2018 after receiving requests for assistance from class members and from organisations in the refugee sector. The initial representative complainant had died, and a client of Slater and Gordon was substituted as the new representative. Slater and Gordon acted in this matter pro bono and worked in partnership with the Refugee Advice and Casework Service. As well as acting for the representative complainant, Slater and Gordon created translated guidebooks in an attempt to assist as many of the thousands of class members as possible to make the required submissions by the deadline. A network of refugee support organisations and advocates across Australia provided individualised assistance to hundreds of class members. This network of pro bono legal support was important as many of the people affected have limited access to legal assistance, a difficulty which is compounded by cultural and language barriers.

In January 2021, the Commissioner published a determination regarding the Immigration Data Breach^[13] (Determination) finding that the Department had breached the Privacy Act. It stated that the 1,297 class members who had provided evidence or submissions of loss or damage in 2018 were entitled to have their compensation claims assessed. However, the remaining class members – those who had failed to make submissions or provide evidence of loss or damage – were determined to have no entitlement under the Privacy Act to claim compensation.

The Commissioner’s finding provides important recognition of the breach of privacy and the detrimental impact on class members. However, as the Commissioner determined that only class members who had responded to the notice by the deadline were entitled to compensation, most of the class members were precluded from accessing compensation. Many of the people who missed the deadline did so because they either did not know that they were required to submit evidence or were not able to access help to navigate the complex legal process.

Slater and Gordon Lawyers is now acting pro bono in a merits review of the Determination before the Administrative Appeals Tribunal (AAT). In that review, the applicants argue that all people affected by the data breach, including those who missed out in the Commissioner’s Determination, should be given an opportunity to claim compensation. The applicants also argue that the process for assessing the amount of compensation must be fair and accessible.

Although the Determination is under review, it is an important decision given this is the first time the Commissioner has ordered compensation in a representative complaint. Further, the approach taken by the Commissioner in the Determination provides insights on how representative complaints may operate in the future.

QUANTIFYING COMPENSATION UNDER THE PRIVACY ACT

Privacy is a fundamental human right and acts as a protection for individuals from unwanted attention or interference. The breach of privacy at the centre of this case was particularly egregious because privacy is of heightened importance to people seeking asylum; this particularly sensitive need for privacy may be difficult to appreciate by people who do not have the same history of displacement and trauma.

People affected by the breach have expressed in their many submissions to the OAIC their fear that their personal details and information on their movements have been accessed by authorities in their home countries. Government reporting on the breach demonstrates that the relevant file was accessed over 100 times from IP addresses around the world. This has intensified class members’ fears of persecution, with some concerned that authorities in their home countries now know, because of the breach, that they live in Australia, and that these authorities may target them through their networks in Australia. Other class members fear that if their refugee application to live in Australia is refused, and they have no choice but to return to their home country, the risk of persecution will be even higher than it was previously. Some class members are distraught, believing that now they will never be able to return home to visit family. Many class members also fear that the data breach could cause repercussions for family members who remain in their home countries.

People affected by the breach report a range of impacts, including feeling unsafe and unable to leave the house or to relate to other people in the community, and experiencing stress, anxiety, nightmares and paranoia. In some cases, the breach has caused or exacerbated mental health conditions.

It is worth examining how compensation is quantified under the Privacy Act. The Act provides that the Commissioner can investigate a privacy complaint and make a declaration that the complainant is entitled to compensation for any loss or damage suffered.^[14] Loss or damage includes injury to feelings or humiliation suffered by the complainant.^[15]

The common law principles relevant to awarding and quantifying compensation under the Privacy Act are summarised as follows in the Determination:

‘

• where a complaint is substantiated and loss or damage is suffered, the legislation contemplates some form of redress in the ordinary course

• awards should be restrained but not minimal

• in measuring compensation the principles of damages applied in tort law will assist, although the ultimate guide is the words of the statute

• in an appropriate case, aggravated damages may be awarded

• compensation should be assessed having regard to the complainant’s reaction and not to the perceived reaction of the majority of the community or of a reasonable person in similar circumstances.’^[16]

Some commentators assert that the finding of a breach of privacy should itself raise an entitlement to compensation, regardless of whether any loss or damage can be proven.^[17] Alternatively, it has been conceptualised as being the case that a person whose privacy is breached has by default suffered a compensable loss separate from any emotional or financial loss, being the loss of ownership or control over their personal information. For example, a loss in these terms has recently been recognised in the landmark UK decision Lloyd v Google LLC.^[18] In the decision, the Court of Appeal found that compensatory damages are in principle capable of being awarded for loss of control of data as an asset of value, without showing pecuniary loss or distress.

Under the Determination on the Immigration Data Breach, the 1,297 class members who provided evidence or submissions of loss or damage in 2018 were entitled to have their compensation claim assessed. Addendum A of the Determination provides a quantification matrix that outlines five categories of non-economic loss and the quantum of compensation to be awarded for each category. Category One includes general anxiousness, trepidation, concern or embarrassment, and these types of damage are awarded a range of $500 to $4,000 in compensation. Category Four includes the development of a mental health condition resulting in referral to a mental health specialist, which provides a range of compensation of $12,001 to $20,000. Category Five is reserved for extreme loss or damage, with compensation awards of over $20,000.^[19]

The applicants in the merits review before the AAT have sought review on the basis that these compensation awards are not in keeping with community values and expectations, and fail to recognise the unique vulnerabilities and fears of the class members that would exacerbate the harm suffered.

ACCESS TO JUSTICE

As the Immigration Data Breach was the first representative complaint in which the Commissioner made compensatory declarations, the processes used by the OAIC were novel and untested. However, the representative complaint structure was based on and intended to align with the courts’ class action procedures under the Federal Court of Australia Act 1976 (Cth).^[20] Therefore, in the sections that follow, we will compare the operation of the representative complaint function to class action practice.

Slater and Gordon Lawyers ran a class action on behalf of the people detained at the Manus Island Processing Centre.^[21] The characteristics of the cohort involved in that class action were the same as those of the cohort affected by the Immigration Data Breach. In the Manus Island Class Action, the percentage of people affected who were able to successfully access their rights to compensation was high, with 89 per cent of the class participating in the case (1,693 of 1,905 people). This demonstrates that higher participation rates can be achieved even within cohorts facing multiple barriers to engaging in legal processes.

In the context of the Privacy Act, a fair and accessible representative complaint process is crucial because in the absence of pro bono legal assistance it is unlikely that class members will have access to legal representation; s52(3) of the Privacy Act appears to prevent representative complainants from recovering legal expenses incurred in connection with the investigation of the complaint.

Exclusion of class members

One of the most significant ways in which the representative complaint scheme mirrors the class actions scheme is that a lead complainant may bring a complaint on behalf of all persons affected, whether or not such people have provided their consent, and the individuals affected can then opt to no longer participate in the complaint. Therefore both legislative schemes are intended to operate on an opt-out basis.

Generally, class actions require that evidence of loss or damage be provided by a lead plaintiff only, or by a group of sample claims. This enables the court to make findings as to common questions relating to liability or damages first, and any process requiring the bulk of the class affected to take active steps will come at the end of the proceeding, at a time when legal complexities and uncertainties have been substantially resolved. This means that any processes requiring class members to take active steps will be as straightforward and accessible as possible.

The question of whether the class action regime should operate on an opt-out or opt-in basis has been the subject of considerable parliamentary debate. During one of those debates, the Attorney-General stated that the Government believes an opt-out procedure is preferable on both equitable and efficiency grounds, and highlighted that it ensures that people who face barriers in engaging in legal processes can obtain redress in circumstances where they may be unable to take positive steps to engage themselves in those processes.^[22]

When the Commissioner determined that all class members who had not provided evidence of loss or damage by the deadline were disentitled to make any claim for compensation, this had the same effect as creating an opt-in process: it excluded the majority of the class from having their claims assessed because of their failure to take positive steps in a complex legal process. This is particularly concerning in circumstances where some class members have expressed apprehension about taking positive steps in proceedings against the Department because they remain vulnerable to the Department’s decisions regarding their visa status.

The compensation assessment process

The Commissioner’s Determination establishes a compensation assessment process whereby the Department would determine a compensation amount for each individual using the quantification guide contained in the Determination. Each individual would then be required to review the Department’s assessment and respond, indicating whether or not they agree with the assessment. The Determination does not provide people affected with any access to legal or interpretation assistance to enable them to consider the appropriateness of the Department’s assessment of their claim.

The compensation assessment process will be a central focus of the AAT review. There are several issues involved, including whether it is appropriate for the Department to administer the assessment process, and whether class members should be provided with legal representation and translation assistance.

In class actions, if compensation becomes payable to a large group of people, the court appoints an administrator to assess and process individual entitlements to compensation. The court plays a protective role in the process of assessing compensation through the requirement that settlements and associated compensation assessment schemes be approved by the court. To consider whether a proposed assessment process is procedurally fair, the court will assess factors such as whether appropriate individuals have been nominated to administer the process and whether the procedures for lodging and assessing claims are appropriate.^[23]

CONCLUSION

The Immigration Data Breach litigation is the most significant use of the representative complaint powers in the Privacy Act to date and appears likely to result in the largest compensation figure ever to be determined for a privacy claim in Australia. It is an important reflection of the fact that privacy breaches are not trivial or consequence-free mistakes and that, increasingly, individuals who suffer loss as a result of a breach should expect to be able to obtain redress. Organisations holding personal or sensitive data need to take their obligations seriously, and the presence of meaningful consequences and compensation rights following breaches is a significant development.

The Commissioner’s Determination has been stayed while the AAT review proceeds. The AAT review is listed for hearing in December 2021 and a decision is expected early in 2022.

People affected by the data breach or their representatives or advocates can stay up to date on this matter by visiting our website: www.slatergordon.com.au/data-breach.

Meg Lessing and Dr Ebony Birchall are both lawyers in the Project Litigation team at Slater and Gordon Lawyers and are part of the team acting in the Immigration Data Breach. PHONE (02) 8267 0609 EMAIL meg.lessing@slatergordon.com.au and ebony.birchall@slatergordon.com.au.

^[1] Commonwealth, Parliamentary Debates, House of Representatives, 23 October 1986, 2656 (Lionel Bowen MP).

^[2] See the New Zealand case Hosking v Runting [2004] NZCA 34; [2005] 1 NZLR 1, where a common law tort of invasion of privacy was accepted by the Court of Appeal.

^[3] See for example Australian Law Reform Commission (ALRC), Serious Invasions of Privacy in the Digital Era, Final Report (Report 123, 2014) [3.52].

^[4] Grosse v Purvis [2003] QDC 151; Doe v Australian Broadcasting Corporation & Ors [2007] VCC 281.

^[5] [2008] VSCA 236; (2008) 24 VR 1.

^[6] Australian Competition & Consumer Commission (ACCC), ‘Google misled consumers about the collection and use of location data’ (Media release, 16 April 2021) <https://www.accc.gov.au/media-release/google-misled-consumers-about-the-collection-and-use-of-location-data>.

^[7] Australian Competition and Consumer Commission v Google LLC (No. 2) [2021] FCA 367.

^[8] ALRC, Unfair Publication: Defamation and Privacy (Report 11, 1979) 215–22; ALRC, Privacy (Report 22, 1983); ALRC, Essentially Yours: The Protection of Human Genetic Information in Australia (Report 96, 2003); ALRC, For Your Information: Australian Privacy Law and Practice (Report 108, 2008); NSW Law Reform Commission (NSWLRC), Invasion of Privacy (Report 120, 2009); NSWLRC, Protecting Privacy in New South Wales (Report 127, 2010); Victorian Law Reform Commission, Surveillance in Public Places (Report 18, 2010); ALRC, Report 123, above note 3.

^[9] ALRC, Report 108, above note 8.

^[10] ALRC, above note 3.

^[11] ACCC, Digital Platforms Inquiry – Final Report (Report, 26 July 2019), 493, <https://www.accc.gov.au/publications/digital-platforms-inquiry-final-report>.

^[12] Attorney-General’s Department, ‘Review of the Privacy Act 1988 – Terms of Reference’ (30 October 2020) <https://www.ag.gov.au/integrity/publications/review-privacy-act-1988-terms-reference>.

^[13] ‘WP’ and Secretary to the Department of Home Affairs (Privacy) [2021] AICmr2 (11 January 2021) (Determination) <https://www.oaic.gov.au/assets/privacy/privacy-decisions/privacy-determinations/WP-and-Secretary-to-the-Department-of-Home-Affairs-Privacy-2021-AICmr-2-11-January-2021.pdf>.

^[14] Privacy Act 1988 (Cth) (Privacy Act), s52(1)(b)(iii).

^[15] Ibid, s52(1AB).

^[16] Determination, above note 13, [55].

^[17] See for example Public Interest Advocacy Centre, Submission to the Review of the Privacy Act (Submission, November 2020) 16–17, <https://www.ag.gov.au/sites/default/files/2021-01/public-interest-advocacy-centre.PDF>.

^[18] [2019] EWCA Civ 1599.

^[19] Determination, above note 13, Addendum A.

^[20] Explanatory Memorandum, Law and Justice Legislation Amendment Bill 1993 (Cth) 1. Note that while the Privacy Act’s representative complaint provisions clearly mirror those in the Federal Court of Australia Act 1976 (Cth), not all the class action provisions are reflected in the Privacy Act.

^[21] Kamasaee v Commonwealth of Australia & Ors, Victorian Supreme Court proceeding S CI 2014 6770.

^[22] Commonwealth, House of Representatives, Debates (14 November 1991) 3174–5 at 3175 (Michael Duffy MP), as cited in D Grave, K Adams and J Betts, Class Actions in Australia, Thomson Reuters (Professional) Australia, Sydney, 2012, 286.

^[23] Camilleri v The Trust Company (Nominees) Limited [2015] FCA 1468, 44.