Courts around the world hearing claims brought by consumers in respect of data breaches have long grappled with the concepts of ‘loss’ and ‘damage’ in a data breach context. Consumers who have not yet had their stolen data used by cybercriminals commonly make a claim for compensation on the basis that that their data may be used in future.
In recent proceedings (HYYL and Privacy Commissioner [2023] AATA 2961), involving the administrative review of a determination made by the Australian Information Commissioner (Commissioner), the Australian Administrative Appeals Tribunal has ruled that proof of loss or damage is a prerequisite to orders for compensation made by the Commissioner under the Privacy Act 1988 (Cth) s 52.
The background to the matter is as follows:
- in February 2014, the Department of Home Affairs (Department) released a report containing the personal details of more than 9,086 detainees. The data leak contained names, gender, citizenship, date of birth, period of detention, boat arrival details, and reasons why the individuals were considered an unlawful non-citizen (Breach);
- a complaint to the Commissioner was lodged and the matter was investigated;
- during the investigation, the Department issued a notice to the 9,086 affected detainees which set out the process by which class members who believed they had suffered loss or damage as a result of the data breach could establish their eligibility for compensation (Notice);
- although 9,200 detainees were subject to the Breach, only 2,500 registered to participate in the OAIC proceedings and only 1,295 provided evidence of non- economic loss;
- in January 2021, the Commissioner made a determination ordering the Department to compensate those detainees who produced proof of economic and non-economic losses resulting from the Breach (Determination); and
- in February 2021, two of the detainees affected by the breach filed an action in the Administrative Appeals Tribunal (AAT), on behalf of any persons affected by the Determination, for review of the Determination. The applicants argued that all members affected by the leak suffered a common, non-individualised loss and, as a result, should be awarded a base payment of AU$10,000 each, regardless of whether they had established loss or damage.
In the recent decision, the Deputy President of the AAT, Perry J, agreed with the part of the Determination relating to proof of economic and non-economic loss, noting that ‘It is plain from the text and context of s 52 of the Privacy Act that compensation can be awarded only where class members establish that they have suffered loss or damage for the purposes of s 52’.
However, Perry J took issue with the form of the Notice, finding that:
- a substantial part of the class did not in fact understand the Notice (in circumstances where it was provided to a vulnerable class of detainee who required a reasonable explanation of the notice and the requirement to provide evidence of loss or damage); and
- the Notice did not define or provide examples of what would be considered ‘loss’ or ‘damage’.
Orders were made:
- allowing those members of the class who did not present evidence of loss or damage to provide such evidence within three months of a revised Notice being published; and
- setting up a compensation assessment scheme, which included the following guidance regarding compensation for non-economic loss:
| Category | Description | Quantum (AUD) |
| 0 | The individual has not provided a submission and/or evidence that substantiates loss or damage resulting from the data breach. | $0 |
| 1 | Minor loss or damage resulting from the data breach (for example, general anxiousness, fear, anger, stress, worry concern or embarrassment). | $500 – $4,000 |
| 2 | Moderate loss or damage resulting from the data breach (for example, moderate anxiousness, stress, fear, pain and suffering, distress and/or humiliation), which has caused minor physiological symptoms, such as some loss of sleep or headaches. | $4,001 – $8,000 |
| 3 | Major loss or damage resulting from the data breach (for example, major or prolonged anxiousness, stress, fear, pain and suffering, distress, humiliation, loss of sleep, and/or headaches) which has caused psychological and/or physiological harm, and has resulted in a consultation with a health practitioner. | $8,001 – $12,000 |
| 4 | Significant loss or damage resulting from the data breach (for example, the development or exacerbation of a diagnosed psychological or other medical condition), which has resulted in a prescribed course of treatment from a medical practitioner. | $12,001 – $20,000 |
| 5 | Extreme loss or damage resulting from the data breach. | > $20,000 |
What does this mean for business operating in Australia involved in a cyber incident where there is a loss of data?
Whilst this decision was made specifically in relation to compensation payable under the Privacy Act, the requirement for proof of loss or damage will be welcome news for organisations and agencies who handle high volumes of personal information in that it will meaningfully limit their exposure under s 52 of the Privacy Act. The larger the class of individuals affected by a particular data breach, the more beneficial the requirement for proof of loss or damage is likely to be.
For further information, please contact:
Jonathon Ellis, Partner, Bird & Bird
jonathon.ellis@twobirds.com
