Article was written by Vicky Grillakis

On 22 September 2022, telecommunications giant, Optus, notified the Australian Cyber Security Centre, the Office of the Australian Information Commissioner (OAIC) and other relevant agencies including the Australian Federal Police that they were subject to a cyber-attack, which has possibly compromised the records of up to 9.8 million of its customers. This is Optus’ second data breach, the first being in 2019 with the mistaken release of names, addresses and phone numbers of 50,000 of its customers. 

Optus noted the recent cyberattack targeted personal data of current and former customers dating back five years. The personal data included names, dates of birth, telephone numbers, email addresses and identification document numbers such as driver’s license, Medicare and passport numbers. However, did not include billing and payment details and account passwords.

The criminal rogues are yet to be identified, however, made, at the time, an online ransom demand of $AU1.5 million worth in cryptocurrency, to which they have apparently dropped and apologised.

The Home Affairs Minister Clare O’Neil noted the responsibility of the security breach ‘rests with Optus’, while Optus noted its ‘data is encrypted… at rest and in transit [with]… multiple layers of protection’. Considering this, questions need to be raised and addressed into how Australia’s privacy and data protection laws ensure that holders of your personal information protect your data.

The Privacy Act 1988 (Cth) (Privacy Act) is Australia’s established data protection regime which seeks to promote the protection of individuals’ privacy. In its current form, the Privacy Act regulates and provides a framework for how organisations manage an individual’s personal information. This regime does so without providing a statutory cause of action for an invasion of privacy or prescribed method of how data holders need to hold or protect one’s personal information.

Right to Privacy

In its current form, the Privacy Act does not provide a right for an individual to bring a claim against a third party for any infringement of privacy. If an individual’s personal information has been breached, one can make a complaint to the Australian Information Commissioner, which has the power to investigate and resolve complaints. In the circumstance that the Australian Information Commissioner finds that a privacy breach has occurred, a determination may be made if the individual is eligible to loss or damage suffered as a result of the breach, including economic and non-economic loss.

In 2021 the Australian Information Commissioner in determination in “WP” and Secretary, Department of Home Affairs [2021] AICmr 2 (WP), established a process to assess the compensation to be paid to class members and set out a scale of compensation payable for non-economic loss suffered as a result a privacy breach. For example, for general anxiousness, trepidation, concern or embarrassment, the indicative quantum is $500 to $4,000, while in the circumstance of extreme loss or damage resulting from a data breach the indicative quantum is in excess of $20,000.

Notwithstanding the above, in most circumstances, data breach complaints are resolved by the Australian Information Commissioner by way of conciliation. This does not offer much reprieve for an individual who is subject of a data breach. 

Privacy Act and the GDPR

While the Privacy Act is comparable with General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), there are significant differences. The GDPR obligates data controllers and processors to maintain a record of their processing activities, conduct a data protection impact assessment and have an appointed data protection officer in particular circumstances. The Privacy Act is silent in these areas.

Further, the GDPR details a list of security measures that controllers and processors may implement while the Privacy Act leaves it to the discretion of the data holder to take reasonable steps to protect one’s personal information.

The GDPR provides a statutory right for its data subjects to seek compensation from the data controllers or processors if they suffered material or non-material damage as a result of a privacy infringement.

Australia

In light of the continuous change in the data and risk climate, Attorney-General Mark Dreyfus has outlined his commitment to ‘sweeping reforms’ to Australia’s outdated data privacy laws, including consideration of implementing privacy rights and a tort for a serious breach of privacy.

While the reform is out for public consultation, business groups are opposed to a right to privacy stating ‘they are yet to see compelling evidence that there is a need…[and]…the Office of the Australian Information Commissioner has reported that its conciliation process has been largely successful in resolving complaint’. While in a 2020 survey commissioned by the Australian Information Commissioner detailed that 78 per cent of individuals supported the right to seek compensation from the courts for a breach of privacy.

Common Law

The common law’s approach is developing from the time of Latham CJ commentary in Victoria Park Racing & Recreation Grounds Co Ltd v Taylor of:

‘…. Any person is entitled to look over the plaintiff’s fences and to see what goes on in the plaintiff’s land. If the plaintiff desires to prevent this, the plaintiff can erect a higher fence…’

While in 2001 the High Court in Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd rejected the tort for an invasion of privacy by a corporation, it did not reject it for a natural person. As such, in (Jane) Doe v Australian Broadcasting Corporation established a common law action for an invasion of privacy, however, requires proof of damage.

A unified regime to privacy and data protection with a clear methodology of protection of personal information and right to recourse in the instance of a data breach should be welcomed.

 

Click Here for OAIC advice on the Optus data breach.