The Pointy End of Privacy: Addressing litigation risk ahead of Privacy Act changes
- The litigation risk arising from data breaches is set to accelerate with foreshadowed changes to the Privacy Act 1988 (Cth) (Privacy Act), including two rights of claim that are entirely new under Australian law.
- OAIC’s enforcement capability will be significantly enhanced. Additionally, with directors and officers personally liable where they fail to discharge their duty of care and diligence, ASIC has signalled its intention to bring enforcement proceedings against Boards and C-Suites where it sees serious failures to mitigate the risk of cyber-attacks.
- We provide strategies for directors, officers and organisations to deploy in readiness for the Privacy Act changes and heightened litigation, liability and enforcement exposures – in order to take charge of an increasingly complex landscape, and demonstrate to customers and other stakeholders that your business takes seriously the personal information with which it is entrusted.
In a quickly evolving regulatory and threat environment, it is critical to join the dots between privacy, cybersecurity, business impact and litigation/enforcement risk. With data breaches already triggering cascading risks for a business, this multiplier effect will be given added potency by upcoming changes to the Privacy Act.
Significantly, among the reforms now agreed in-principle are two new litigation rights for individuals. These rights would open the door for the first time to direct claims against organisations for privacy breaches.
In tandem, increased enforcement action has been flagged by both ASIC, with respect to cyber-security risk mitigation, and the Office of the Australian Information Commissioner (OAIC), with respect to Privacy Act compliance.
The developments underscore the value of adopting a forward-looking strategy in anticipating and addressing these emerging, intersecting risks and reducing the prospect of becoming a target of litigation claims and regulatory scrutiny. Businesses on the front-foot with clear, robust and secure privacy and data protection practices will also earn and maintain trust in their stewardship of the personal information they collect and handle – a fundamental part of the social license to operate in today’s digital economy.
Data spills and cascading risks
As ransomware and other cybercrime tactics proliferate, the business risk they pose across entity sizes and sectors is evident. The operational disruption, reputational impact and losses of revenue, data and customers that can flow from such incidents are widely recognised.
A compounding risk arising from either orchestrated or accidental data spills is the litigation that can follow in their wake. Claims may be brought by clients, employees or suppliers whose information is leaked or stolen, or by contractors impacted by business interruption.
Mass data breaches attract class action risk, as experienced over the course of this year by Optus, Medibank and Latitude. Medibank is facing no less than five sets of major group proceedings (some consolidated) which stem from its network hack, including two consumer class actions, two shareholder class actions, and a fifth representative complaint filed with OAIC.
Under current laws, as pleaded in these class actions, entities can expect to face allegations that they breached duties of confidence, care or contractual terms, mispresented their cyber-security and privacy controls, or breached continuous disclosure rules or sector-specific obligations.
Amplified litigation risk arising from Privacy Act changes
The reform of the Privacy Act acknowledges that Australia’s legislation lags behind international benchmarks and technology advancements (drafted in the late 1980s, the Act does not contemplate the privacy implications of e-commerce, data harvesting or facial recognition technology).
On 28 September 2023, the Australian Government issued its Response to the Privacy Act Review Report, agreeing to 38 proposals for privacy law reform, agreeing in-principle to 68 proposals and noting 10 proposals. Legislation to bring the ‘agreed’ proposals into law is expected in 2024, with further consultation to now take place on the proposals ‘agreed in-principle’.
While balanced against business innovation and regulatory burden, the reforms tip the balance in favour of individuals’ privacy rights.
From the perspective of corporate Australia, a clear emerging risk from the proposals is the vastly increased scope for litigation against organisations for privacy breaches.
Two new rights have been agreed in-principle for individuals to litigate following interferences with their privacy. These rights are intended to deter misconduct and open up compensation avenues, reflecting a finding that 89% of Australians said they should be able to seek compensation in the courts for a breach of privacy.
Both proposed rights are significant, being entirely new under Australian law, and providing novel litigation pathways for privacy breach claims. There is no well-established action or tort for invasion of privacy in Australia, unlike New Zealand, the United Kingdom, the United States and Canada. Currently, individuals also have no right to sue an organisation for Privacy Act breaches per se, which is the reason for the reliance on alternative causes of action (such as misleading conduct) in various class actions brought in 2023.
While further clarity will only emerge through the legislative drafting process, assuming both litigation rights are progressed following the consultation/deliberation phase, details ascertained to date are as follows:
Litigation Right | Direct right of action for Privacy Act breaches |
Statutory tort for serious invasions of privacy |
Details | Available to individuals seeking compensation for loss/damage suffered as a result of Privacy Act breaches To encourage early resolution of claims and minimise the potentially large burden on the courts, a complaint must first be lodged with the OAIC or a recognised External Dispute Resolution scheme. Where there is no reasonable likelihood that the complaint could be resolved by conciliation, or it is assessed as unsuitable for conciliation, the complainant may pursue the matter further in court. |
Available to individuals seeking compensation for serious invasions of privacy, extending to circumstances falling outside the Privacy Act. Based on the model recommended by the Australian Law Reform Commission (ALRC) Report 123
|
Remedies | Any order the court sees fit, including any amount of damages. | Per ALRC Report 123:
|
Defences | Yet to be specified | Defences such as necessity, consent, publication of public documents and conduct required or authorised by law. (per ALRC Report 123) |
Key questions arise on how these rights would operate, such as any minimum claim thresholds, and requirements for proof and assessment of loss/damage (including emotional distress). It is certain, however, that such rights would herald a new era of data and privacy breach litigation for Australia, unleashing claims of varying values, both individually and aggregated as class actions, plus the potential for exemplary or punitive damages.
These reforms would markedly increase the litigation risk faced by entities, particularly in cases of large data breaches and/or spills of confidential or sensitive information. Such exposures can ultimately translate into significant reputational and financial impact.
OAIC is stepping up
In parallel, organisations should take note of heightened enforcement and civil penalty risk. The OAIC’s toolkit is being sharpened by agreed Privacy Act reforms, including:
- Clarification of conduct caught by the civil penalty provision for serious interferences with privacy (bearing a maximum penalty of $50 million or more), such as serious failures to take proper steps to protect personal data
- A new mid-tier civil penalty provision for interferences with privacy without a ‘serious’ element
- A new low-level civil penalty provision for administrative breaches – e.g. a failure to have a compliant privacy policy
- Power for courts to order any remedy they see fit for breaches of civil penalty provisions for interferences with privacy
- Enhanced OAIC investigative and enforcement powers
To resource increased enforcement action, consideration is being given to an industry funding model, a contingency litigation fund and an enforcement special account to fund high cost litigation by the OAIC.
ASIC flags action against Boards and C-Suites
For company directors and officers, it also important to remain cognisant that, in fulfilling their duty to act with care and diligence, they must take reasonable care to guard against foreseeable risks of harm to their company. Increasingly, failures to ensure appropriate privacy, data and cyber-security protections can expose a company to foreseeable risks of harm (in the multitude ways highlighted above), and expose directors and officers to personal liability for a breach of this duty.
To that end, ASIC has signalled that in cases of egregious failures to mitigate the risks of cyber-attacks, it will consider taking enforcement action against company directors and officers. This message was conveyed in several recent ASIC speeches, including ASIC’s session at the Governance Institute’s Regulators Forum in September 2023.
At the time of writing, ASIC had previously brought Federal Court proceedings against corporations (RI Advice Group and Lanterne Fund) in relation to cyber-risk management, but not individual directors or officers. With this approach now set to change, it is critical for Boards and Executives to take (and be able to show that they have taken) reasonable steps to reduce cyber and data risks to an acceptable level.
Checklist: actions to take now
Organisations, directors and officers are wise to get ahead of the incoming Privacy Act reforms and the trend of closer regulatory scrutiny, by taking steps to strengthen data stewardship and mitigate against present and future (yet foreseeable) litigation and enforcement risks.
Those leading the way in protecting the data with which they are entrusted will also benefit from the enhanced confidence and loyalty of customers and other stakeholders, and the competitive advantages that can follow.
- Privacy and data practices – Ensure privacy and data governance frameworks and practices fully comply with existing legislative requirements. Regularly assess their fitness for purpose against the organisation’s needs and threat environment, and verify their implementation in practice. Consider and prepare for the uplifted requirements on the horizon arising from the Privacy Act reform and the soon-to-be released 2023-2030 Australian Cyber Security Strategy.
- Information audit and reduction – Undertake an audit of the organisation’s data and digital assets (and liabilities). Review data retention policies. Destroy personal information that is no longer needed or required by law to be retained, to reduce harm from any unauthorised accesses.
- Outward representations – Assess whether collection notices, privacy policies, contractual terms and other outward representations (for example, in marketing materials, websites and disclosure statements) with respect to data handling and cyber-security practices are clear, up to date and actually adhered to across the business. Verify that they are accurate and not misleading.
- Third-party contracts – Review the extent to which personal information is disclosed externally, the data protection, cyber-security and privacy practices of third parties with whom it is shared, and required contractual terms (such as minimum cyber standards for suppliers and tailored data incident and indemnity clauses).
- Accountability – Ensure that relevant organisational roles and responsibilities are well-defined and understood, including reporting metrics and appropriate monitoring at Board level. Implement training and drills to promote a culture of privacy and cyber best-practice.
- Cyber-security – Invest in cyber-security, resilience and preparedness, and consider insurance options. Embed robust systems to reduce the risk of data breaches (malicious and inadvertent) and to mitigate their impact and resulting harm to both the business and affected individuals. Refine multi-disciplinary incident response plans, incorporating legal and communications strategies. In managing incidents that occur, obtain expert assistance early and ensure that legal professional privilege attaches to advice obtained.
- Proof – Keep fulsome compliance records, to evidence the steps taken should they be questioned in a regulatory or litigation context down the track.
Further information
See also Government Response to Privacy Act Review Report and Australian Law Reform Commission Report 123.
LK Principal, Amy Cooper-Boast, advises on dispute avoidance/resolution, directors’ duties, privacy and risk mitigation.
For enquiries or assistance, please contact Amy Cooper-Boast (acooper-boast@lk.law / 08 8239 4615).