Loss or damage in data breaches: key principles on compensation

With an increasing number of data breaches occurring in Australia, one issue for companies in preparing for cyber incidents (and any flow on litigation that may occur) is the question of compensation for breaches of privacy.

Breaches of the Privacy Act 1988 (Cth) (Privacy Act) can sound in compensation for non-economic loss such as embarrassment, humiliation or anxiety etc. (unlike the general position under other causes of action such as contract, or in negligence).

A recent decision by Federal Court Justice Melissa Perry, sitting in the Administrative Appeals Tribunal (AAT), provides useful guidance on questions of eligibility for compensation and the assessment of loss or damage for privacy-related representative claims.

The AAT’s decision in HYYL and Privacy Commissioner [2023] AATA 2961 shows that, at least for claims brought under the current regime in the Privacy Act, actual proof of loss by each individual class member needs to be established before compensation can be claimed.

This may present challenges for plaintiff law firms seeking to recover damages for large numbers of affected persons in privacy breach class claims.

However, anticipated major reforms to Australia’s privacy law regime may soon change this landscape, with the introduction of new private avenues of claim for individuals that will broaden the range of remedies available for interferences with privacy. Our detailed commentary on the proposed reforms is available here.

Even though the decision imposes an administrative burden on individuals who suffer a privacy breach, agencies and organisations responsible for protecting personal information should be aware that civil penalties can also be imposed under the Privacy Act, irrespective of whether there has been any compensation awarded. In late 2022, there were significant increases to the maximum penalties for serious or repeated privacy breaches, jumping to $50 million, and sometimes more based on benefit obtained from the breach or group turnover. Details here.

Read more for further detail on the AAT’s decision and its implications.

What was the decision about?

• The AAT decision considered a determination by the Privacy Commissioner as to compensation available to individuals affected by a data breach.
• The data breach in question was caused in 2014, when the then Department of Immigration and Border Protection (Department) published a report on its website which included an embedded excel spreadsheet containing the personal information of 9,258 individuals in immigration detention (Data Breach). A representative complaint was made to the Privacy Commissioner on behalf of the affected individuals against the Department for privacy breaches.
• In assessing the complaint, the Commissioner determined that the Privacy Act empowered her to award monetary compensation only where individual complainants had put on evidence or submissions establishing they had suffered loss or damage by reason of interference with their privacy.
• The Commissioner’s determination also included a scale for assessing compensation payable to individuals who had established individual loss or damage. That scale ranged from $500 (minor loss or damage, e.g. general anxiety, stress, concern) to over $20,000 (for extreme loss or damage).
• Certain class members (the Applicants) applied to the AAT for a review of the Commissioner’s determination, including on the basis that the scale was based on outdated examples and did not align with community expectations for breaches of privacy.

The AAT found that:

• Individual members in the class needed to provide submissions and / or evidence to substantiate what loss or damage they had suffered (upholding the position of the Commissioner):
  • The AAT rejected the Applicants’ argument that all class members had necessarily suffered a ‘common’ and non-individualised loss which should be reflected in a base payment of $10,000 per class member.
  • Having regard to the clear language of s 52 of the Privacy Act (the provision under which the Commissioner made her determination), the AAT said it was plain that compensation can be awarded only where class members establish individually they have suffered loss or damage – specifically, the provision only permits a declaration entitling a complainant to compensation “for loss or damage suffered by reason of the act or practice the subject of the complaint”.
• The class members that had provided relevant evidence and / or submissions (1,295 of around 9,258 individuals affected by the Data Breach) were eligible to be paid compensation, assessed pursuant to a scale:
  • The AAT’s scale was similar to that originally determined by the Commissioner, i.e., adopting the same broad ranges, with some changes to category descriptions.
  • The AAT emphasised that it was important to have regard to the nature of the breach in question – it rejected the relevance of other yardsticks raised by the Applicants, including e.g. awards made under the Sex Discrimination Act, or factual situations which were very different, such as penalties imposed by foreign regulators arising from high profile privacy breaches.  
  • The AAT accordingly rejected the higher quantum scales proposed by the Applicants, which, in addition to the base payment of $10,000 per class member, otherwise ranged from $5,000 to more than $25,000 for individualised losses.
  • Finally, the AAT observed that the nature of damages under s 52 is expressly compensatory, such that larger awards were not justified simply because of increased public awareness of and attention to matters of privacy. While the ‘community expectations’ argument made by the Applicants was not successful here in the context of compensation, that argument was one of the justifications for big increases to Privacy Act penalties, described above. Regardless of this decision, defendants are then still subject to greater impacts than ever before in the event of a privacy breach.
• Class members that had not previously provided evidence and / or submissions regarding their loss or damage should be given a further opportunity to do so, so long as they could show a reasonable explanation for not previously doing so. The AAT found that there were some deficiencies in the original notice to affected persons issued by the Department which dealt with compensation, especially given the particular vulnerability of the class members affected by the Data Breach (as compared to those comprising class members in representative proceedings more generally).