The Australian Privacy Commissioner has signalled an intent to increase regulatory action and the Government is likely in the short term to introduce reforms to increase the penalties under Australia’s privacy legislation, though it is unlikely those reforms will result in an increase in class actions.
Action in relation to Cambridge Analytica
On 9 March 2020 Australia’s Privacy Commissioner commenced proceedings in the Australian Federal Court against Facebook relating to the Cambridge Analytica incident. The proceedings were commenced under section 13G of the Privacy Act 1988 (Cth) (Privacy Act). This section creates a civil penalty contravention where a regulated entity either does an act or undertakes a practice that is a serious interference with the privacy of an individual (section 13G(a)) or repeatedly does an act or undertakes a practice that is an interference with the privacy of one or more individuals (section 13G(b)). An act or practice will interfere with the privacy of an individual where it breaches the Australian Privacy Principles contained in Schedule 1 of the Privacy Act. Only the Privacy Commissioner may commence proceedings for a breach of section 13G.
The Privacy Commissioner claims that, in the Cambridge Analytica incident, the personal information of approximately 300,000 Australian Facebook users was exposed to being sold and used for purposes, including political profiling, well outside those users’ expectations. This, in the Privacy Commissioner’s view, occurred as a result of Facebook’s breaches of certain of the Australian Privacy Principles during the period 12 March 2014 to 1 May 2015, when personal information of Australian users was collected by the “This is Your Digital Life” app.
Each contravention, if proven, could attract a civil penalty of up to AU$1.7 million, which was the maximum penalty able to be imposed for a contravention of section 13G at the time the events that are the subject of the proceedings occurred. Given the number of individuals the Privacy Commissioner has indicated have been impacted by the contravention, in theory, Facebook could be ordered to pay over AU$500 billion, though there is no prospect that the Federal Court would impose such a significant penalty. In the time since the Cambridge Analytica events occurred, the maximum civil penalty available under the Privacy Act has increased to AU$2.1 million (or AU$420,000 for individuals).
“Class action” against Optus
In April 2020, a “class action” complaint was lodged with the Office of the Australian Information Commissioner (OAIC) against one of Australia’s largest telecommunications companies, Optus.
In October 2019, Optus notified approximately 50,000 customers that their personal information, including names, addresses and phone numbers, had been published in “White Pages”, which is Australia’s directory of residential telephone numbers, in both the online and printed versions. This occurred in error as the relevant customers had requested that such publication not occur. The personal information was removed from the White Pages online directory but of course no steps could be taken to remove the personal information from the printed version of the White Pages. In addition to notifying the impacted customers, Optus notified the Privacy Commissioner, as it determined it was required to do so under Australia’s mandatory notifiable data breach scheme.
The complaint that has now been made to the Privacy Commissioner is a representative complaint. Section 38(1) of the Privacy Act provides that a representative complaint may be made on behalf of a class of people where all the class members are affected by the same or a similar interference with privacy and where each claim requires the same or substantially the same issues to be considered. A representative complaint may be made without the consent of all of the class members, provided at least one class member initiates the complaint.
The representative complaint does not constitute court proceedings, and the Privacy Commissioner retains the right to investigate the complaint or determine, in accordance with the Privacy Act, that it should not be investigated. Although the Privacy Commissioner has not given any public indication of whether she proposes to launch an investigation, there are only limited circumstances in which she may refuse to investigate a complaint (for example, where she determines the complaint is frivolous or vexatious or a complaint has not first been made directly to the relevant entity which was not able to be satisfactorily resolved). So, it is expected that in due course an investigation will occur.
After investigating a complaint, the Privacy Commissioner is required to make a determination as to whether or not a breach of the Privacy Act has occurred. If a determination is made that there has been a breach, the Commissioner may include other declarations in the determination, including that specific steps are to be taken to ensure that the relevant conduct does not continue or is not repeated and that impacted individuals receive compensation. The Privacy Commissioner may also resolve a complaint, prior to a determination being made, if she accepts an appropriate enforceable undertaking from the relevant entity agreeing to take steps to resolve the relevant conduct.
Although the Commissioner has previously acknowledged the significant risks of harm that may arise in connection with the publication of contact information of so called “silent line” customers in Australia’s White Pages, to date there has been no instances of serious harm that have been publicly reported as arising from the Optus incident. Therefore, although it has been publicly reported that the complainant is seeking a determination that includes monetary compensation, it may well be the case that the Commissioner, even if she concludes Optus has breached the Privacy Act, determines that monetary compensation is not appropriate. In any event, compensation awards made by the Privacy Commissioner have historically been low, and so it would be expected that, if monetary compensation was determined to be payable, the amount determined to be payable would be low.
Remedies under proposed amendments to Australia’s Privacy Act
Both the Facebook proceedings and the Optus complaint highlight that under Australia’s Privacy Act individuals cannot directly seek redress in the courts for interferences with their privacy. If the Privacy Commissioner is successful in the Facebook proceedings, any penalty that is imposed will not be paid to the individuals who were impacted by the data breach. In addition, the penalties that the Commissioner is able to seek in that case are not, either by Australian or global standards, particularly high. In the Optus complaint, the complainants will need to convince the Privacy Commissioner that monetary compensation is appropriate – there is no prima facie entitlement to receive this and, as noted, any compensation that is determined to be payable would be likely to be low.
The Australian Government has stated it will move forward with amendments to the Privacy Act that will mean the consequences for regulated entities of breaching the Privacy Act are more significant, not only as a result of increases in the penalties the Privacy Commissioner may seek but also because individuals will have rights to take direct action.
Proposal for increased penalties
The Australian Government has announced its intention to amend the Privacy Act in 2020 so that penalties the Privacy Commissioner may seek for breaches of that Act are increased to be equal to those applicable for breaches of the Australian Consumer Law. If that legislation is enacted (and the COVID-19 pandemic has delayed the timing for the proposed changes) penalties for serious and/or repeated interferences with privacy under the Privacy Act will be increased to the greater of:
These proposed increases will not only bring the Privacy Act in line with Australia’s consumer protection legislation but will also more closely reflect the penalties available in other jurisdictions. For example, in the European Union, serious infringements of the General Data Protection Regulation may result in fines of up to the higher of €20 million or 4% of the total worldwide annual turnover of the entity in breach. Less serious infringements may result in fines of up to the higher of €10 million or 2% of the total worldwide annual turnover of the entity in breach.
New rights for individuals to take direct action
In the Final Report from its 2019 Digital Platforms Inquiry, the Australian Competition and Consumer Commission (ACCC) recommended:
The Australian Government accepted the first of these recommendations in principle (though subject to consultation and design of specific measures) and noted the second recommendation. It has indicated that it will consult on a direct right for individuals to take action for privacy breaches as part of the same legislation package that will introduce the increased penalties under the Privacy Act, as referred to above.
Support for class actions unlikely
Although the Government supported in principle the introduction of a direct right of action by individuals for interference with their privacy, more recent events indicate this support does not extend to class actions. On 13 May 2020 the Australian Government referred to the Parliamentary Joint Committee on Corporations and Financial Services an inquiry into litigation funding and the regulation of the class action industry. The terms of reference of the inquiry are wide ranging, covering the role and regulation of litigation funders, the impact on compensation awards for class members, the potential impact of proposals to allow contingency fees and the economic impact of increased class actions.
When announcing the Australian Government’s decision to refer the matters for inquiry, Attorney-General Christian Porter was highly critical of “extraordinary” profits being made by the litigation funding industry and the detrimental impact this has on the compensation which is actually received by class members. The report of the Committee is due in December 2020. The views of the Government on class actions may result in any amendments to the Privacy Act including restrictions on this type of action.
The statutory tort for serious invasions of privacy is proposed to be considered as part of a longer term review of the Privacy Act to determine whether, in the current digital age, the Privacy Act remains fit for purpose. Subject again to delays created by the Australian Government’s response to COVID-19, it would be anticipated that this longer term review will occur over the latter part of 2020 and 2021.
Businesses should consider likelihood of increased liability
The Facebook proceedings and the Optus complaint, together with the Australian Government’s proposed statutory reforms outlined above, may herald a tougher approach to enforcement of privacy protections in Australia, even if the Government restricts privacy class actions. Businesses should be particularly rigorous in implementing processes to ensure compliance with the Privacy Act, given the likelihood that in the short term penalties will increase and individuals will be given the right to bring proceedings directly, without the need for the Privacy Commissioner to act on their behalf.
Click here to read our previous analysis of the Privacy Commissioner’s proceedings against Facebook.
 The full terms of references are available at: https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Corporations_and_Financial_Services/Litigationfunding/Terms_of_Reference.
 See media release on 5 March 2020 at https://www.attorneygeneral.gov.au/media/media-releases/committee-examine-impact-litigation-funding-justice-outcomes-5-march-2020.
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this newsletter is accurate at the date it is received or that it will continue to be accurate in the future.