The rise of data breach litigation in Australia
Many people have undoubtedly seen or heard about Facebook in the headlines lately. Facebook’s CEO Mark Zuckerberg was placed under the spotlight before senators at a Congressional hearing about “the Facebook”, due to the collection of personal information by Cambridge Analytica, affecting up to 87 million users. Many millennials would cringe if they were asked if something on a floppy disk was the same as a social network. Cambridge Analytica has now placed its UK business into administration and will be commencing bankruptcy proceedings in relation to its US business as a result of the negative publicity attracted by this saga.
Given the advances in technology, there are now many repositories of personal information - health, hotels, telecommunications and online shopping accounts, just to name a few. Accordingly, personal and sensitive information is being stored increasingly in electronic formats. By the same token, that means electronically stored information is a target for data breaches.
The Facebook Cambridge Analytica incident is by no means an isolated incident. Other recent examples include:
Data breach litigation has been an ongoing phenomenon for many years in the United States and the United Kingdom. Australia is still relatively new to the playing field, having only recently amended its privacy laws to include a mandatory notification for eligible data breaches under that regime. We have previously written on the new data breach notification regime that came into effect earlier this year in Australia. Despite this recent development, there are still many hurdles for individuals seeking to make claims due to their personal information having been compromised.
In the United Kingdom, a person who has suffered damage arising from a data breach has a statutory cause of action to sue the holder of that information. That position may be modified slightly, with the introduction of the Europe-wide General Data Protection Regulation (GDPR), which will come into effect on 25 May this year. Our ICT and Data Protection Team has previously discussed the effect of the GDPR. This will only be of concern for businesses which have operations in the European Union (and despite Brexit, the UK Parliament has stated its intention to retain the GDPR after it leaves the EU).
The leading case in the UK regarding mass data breaches is Vidal-Hall v Google Inc  EWCA Civ 311, which confirmed that a tort of misuse of private information exists.
In the United States, there is data breach legislation at both the federal and state levels and generally speaking, individuals are able to commence proceedings to recover damages arising out of injuries suffered from the data breach (however, this will depend upon the laws in the relevant state). A threshold issue for claimants in the US is standing (that is, the ability for a claimant to sue) which has been interpreted under the US Constitution as requiring concrete, actual or imminent loss. Currently, this question remains unresolved (and the US Supreme Court recently declined to review a decision that could have allowed it to clarify that issue for data breach claimants).
There is presently no specific personal statutory right under Australian law, comparable to the UK and US law, for a claimant to make a claim in respect of their privacy or a data breach. Currently, the Privacy Commissioner is the only person with standing to bring a claim under the Privacy Act 1988 (Cth). That being said, it is possible that claims by persons affected by a data breach could be formulated based on existing legal principles.
Almost two decades ago, the High Court of Australia declined to recognise the existence of a tort of privacy (see ABC v Lenah Game Meats Pty Ltd). However, it was suggested in that case that an action for breach of confidence may be available in appropriate circumstances. Depending on the circumstances of the breach, it may also be possible for an action to be brought for negligence.
The cases surrounding data breaches often fall into two categories. Assume you are a company in Australia hosting a wealth of data containing personal (or sensitive) information on a number of individuals and:
A majority of the population are consumers of services and products which collect, use or disclose personal information. From a consumer’s perspective, if there is a data breach and personal information is compromised, a simple notification of an information breach occurring is hardly a satisfactory outcome. Consumers will expect a right to claim for loss and damage.
Where losses may be compounded significantly due to the potential scale of a data breach, the question of whether a broad group of claimants may be able to seek compensation for their loss, is raised. In this way, questions as to the formulation of any claims, the amount of any loss and the viability of group proceedings will be relevant. Further, the mandatory data breaches notification regime (if applicable) may have the effect of identifying a group of consumers that could constitute a “class” for the purposes of class action litigation.
As far as we are aware, there have been no reported mass data breach litigation cases in Australia. This is an area of Australian law that is still developing and it remains to be seen how Courts in Australia will develop the law. However, there is the potential for claims to arise, as we have outlined above.
If you require advice on data and privacy compliance and governance please contact or one of our notifiable data breach and privacy experts. If you would like further advice in dealing with data breach litigation, please contact Special Counsel, Aaron Alcock, Solicitor, Jay Tseng from our Litigation and Dispute Resolution team.