Class actions in Australia – breach of privacy claims

29 October 2024

In the context of the rapid growth of the global digital economy, businesses are required more than ever to ensure adequate protections for the handling of individuals' personal information. Risks associated with cyber and data breaches in Australia now include not only regulatory action, but also class actions.

Background

The handling of individuals' personal data has become a risk for businesses in terms of potential exposure to attacks by cybercriminals or inadvertent data breaches. The consequences of data breaches can be severe, including regulatory fines, class actions, and significant damage to reputation, as is evidenced by recent data breaches in Australia.

Recent cases

In recent years, Australia has seen the advent of data breach class actions. Beyond the regulatory scrutiny from mandatory self-reporting to the Office of the Australian Information Commissioner (OAIC), private enforcement adds additional risks for businesses handling personal data. Affected companies have had to take significant steps to rebuild consumer trust.

Health insurer

In 2023, three separate class action claims were brought against a health insurer, Medibank in Australia (two of which have since been consolidated in the Federal Court, and one in the Supreme Court of Victoria) related to a data breach in October 2022. This breach resulted in the leak of personal customer data affecting 9.7 million customers, including sensitive information such as Medicare card numbers, passport numbers, and health claim data. The breach was followed by a ransom demand of US$10 million.

In addition to claims under the Privacy Act 1988, alleging Medibank failed to take proper precautions to protect customer information, the claims against Medibank include an allegation the company misrepresented its compliance with information security standard CPS 234 in its public statements from 2016 to 2022. The claimants argue that Medibank's statements were misleading or deceptive (a claim under the Australian Consumer Law), which caused an inflated share price. The form and quantum of damages are yet to be determined.

Telecommunications company

A September 2022 data breach affected up to 10 million current and former customers of a telecommunications company, Optus, comprising the data of over a third of Australia's population. The breach led to a significant drop in Optus's share price, and the resignation of the company's CEO. The class action claims made against Optus in the Federal Court of Australia (similar to the Medibank class action) allege that Optus failed to comply with regulations regarding data handling, and those failures amounted to breaches of its customer contracts, and misleading or deceptive conduct.

Following the Optus breach, a competing telecommunications company in Australia launched an advertising campaign emphasising its commitment to security and reliability, subtly contrasting its services with the issues faced by Optus. That company then experienced its own data breach in December 2022, accidentally publishing customer data online as a result of the "misalignment of databases", for which it issued a public apology and was fined AUD2.5million by the Australian Communications and Media Authority.

Financial services company

A further class action is being investigated against Latitude Financial, for security breaches in March 2023 which compromised the personal information (including passports, driver's licenses and Medicare numbers) of over 6 million customers. An individual who commenced an action in relation to this data breach in the Federal Court had his claim struck out in June 2024 for failing to identify any actual loss or damage (only the risk of loss or damage)[1].

[1] S Saffari v Latitude Financial Services Australia Holdings Pty Ltd [2024] FCA 573

Legislative Change

Data privacy has long been a key topic on the Australian Government's agenda. In 2019, the Government committed to a comprehensive review of the Privacy Act 1988. On 12 September 2024, the Privacy and Other Legislation Amendment Bill 2024 (the Bill) was introduced as a "significant step forward for Australian privacy law". Australian Attorney General Mark Dreyfus noted that the Bill "begins the much-needed work of updating [Australian] privacy laws to be fit-for-purpose in the digital age". The Bill stopped short of introducing a new statutory tort for breach of privacy, however, introduces a new statutory tort of privacy, enabling individuals to sue for serious invasions of privacy committed in circumstances that fall outside the coverage of the Privacy Act. The implications of the new tort in the context of class actions remains to be seen.

Key Considerations

With recent legislative changes in the data privacy space and exposure to data privacy class actions in Australia, businesses must be proactive in their approach.