03 March 2021
For the first time, the Privacy Commissioner (Commissioner) has determined that non-economic loss compensation is payable to individuals affected by a data breach in a representative action.
The Commissioner’s determination
Earlier this year, the Commissioner ordered that the Department of Home Affairs (Department) compensate over one thousand asylum seekers, including for non-economic loss, provided they demonstrated loss or damage resulting from the unauthorised disclosure of their personal information.
In February 2014, the Department inadvertently published the personal information of over 9,000 individuals held in immigration detention online. The information included names, gender, citizenship details, birth date, period of immigration detention, location, boat arrival details and reasons for being considered an unlawful non-citizen.
Following the data breach, an impacted individual submitted a representative complaint to the Office of the Australian Information Commissioner (OAIC) under the Privacy Act 1998 (Cth) (Privacy Act) on behalf of the affected asylum seekers, being the class members. The complainant sought a declaration that the class members were entitled to an apology, compensation for economic and non-economic loss and aggravated damages. Over one thousand individuals made submissions or provided evidence of loss or damage.
Under the Privacy Act, the Commissioner found that the Department had interfered with the class members’ privacy by improperly disclosing personal information and failing to have reasonable security measures in place to protect their personal information.
The Commissioner’s determination
The Commissioner referred the matter to dispute resolution for the parties to negotiate on the damages for economic and non-economic loss. The Commissioner noted that compensation should be assessed on a case-by-case basis and provided a framework to assist the parties in assessing non-economic loss. If the parties could not agree, the matter would be referred back to the Commissioner.
The Commissioner did not grant aggravated damages, in part, because the data breach was inadvertent, promptly addressed and the Department apologised and cooperated with OAIC throughout the proceedings. As the Department had already issued an apology, the Commissioner deemed a further apology unnecessary.
What test is used to determine non-economic loss in privacy claims?
The Commissioner confirmed that non-economic loss is of an “inherently personal nature” and should be considered on a case-by-case basis.
The Commissioner referred to the Administrative Appeals Tribunal decision, Rummery and Federal Privacy Commissioner and Department of Justice and Community Safety, to summarise the principles for awarding compensation under the Privacy Act, noting (directly from the decision here):
The Commissioner set up a framework with five applicable categories for compensation for non-economic loss in the matter at hand, being:
The Department is now required to embark on the complex task of assessing and negotiating each individual’s damages.
What does the decision mean for non-economic loss claims in privacy breaches?
The decision serves as a reminder of the weighty and ongoing costs of a data breach, including administrative burdens.
Although the decision is a useful guide, the non-economic loss compensation categories provided by the Commissioner are not intended to be applied to privacy matters in general. The Commissioner clarified that the categories were specific to the complaint at hand, although they were consistent with previous privacy determinations.
The Commissioner’s determination is the first for non-economic loss in a representative action and confirms that damages for non-economic loss depend on the affected individual’s circumstances.
Authors: Dan Pearce & Louise Almeida
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.