Cyber-security has rapidly emerged as a subject of critical concern across government, business, and the legal profession. The significance of data-security and digital privacy largely entered the public consciousness in Australia following allegations Facebook had collected and sold user data to third parties without their consent.[1] These revelations led the Australian Information Commissioner (AIC) to commence proceedings in the Federal Court of Australia, alleging the company had committed serious and repeated interferences with privacy in contravention of Australian privacy law.[2] The Optus and Medibank cyber-attacks and Telstra data leak in 2022, demonstrate the inadequacy of extant cyber-security systems relied upon by Australia’s largest corporations.[3] Following these breaches, in October 2022, Attorney-General Mark Dreyfus KC opined that “…existing safeguards are inadequate. It’s not enough for a penalty for a major data breach to be seen as the cost of doing business.”[4]
Building on the 2019 review of the Privacy Act 1988 (Cth),[5] in December 2022, the Commonwealth Parliament passed an amendment to the legislation providing the AIC with greater powers to investigate possible data breaches and enforce cyber-security standards.[6] The amendment also elevates the maximum civil penalty for serious or repeated breaches from $2.2m to the greater of $50m, 30% of a company’s annual turnover, or three times any benefit obtained.
A breach of confidential informational is a well-established cause of action under common law, in the instance of interference with contractual relations. In Moorgate Tobacco Co Ltd v Phillip Morris (No 2),[7] the High Court recognised breach of confidence as an equitable cause of action. This can arise when a party reveals confidential information to another on the understanding that the information is only to be used for a specific purpose. If a reasonable person, in the recipient’s position, would have understood the information was provided to them in confidence, the Court will impose an equitable obligation of confidence.[8] The High Court has also determined that if information is disclosed for a limited purpose, the recipient party cannot use that information for any other purpose.[9]
In ABC v Lenah Game Meats Pty Ltd,[10] the High Court held that there is no tort for breach of privacy; however, Chief Justice Gleeson signalled, at [35], that the Court could be receptive to recognising a right to privacy with a caveat acknowledging the implied right of political communication. In January 2023, Mr Dreyfus confirmed that the Attorney General’s department was currently considering further amendments to the Privacy Act that would incorporate a “longstanding recommendation of the Australian Law Reform Commission to create a statutory tort of privacy”.[11] Additionally, Mr Dreyfus indicated that a range of further reforms were currently under consideration which would align Australia’s privacy regime with the European Union’s General Data Protection Regulations. In September 2023, the Attorney-General stated that the Commonwealth government intends to significantly bolster the current privacy regime throughout 2024, including removing the Privacy Act exemption for small businesses.[12]
This rapidly evolving space, as organisations adapt to a changing regulatory regime, and combat the growing prevalence of cyber-attacks, represents an exciting and turbulent period for Australian class action practices. In January 2023, three firms combined their investigations against Medibank in a representative privacy complaint lodged with the Office of the Australian Information Commissioner (OAIC).[13] On 7 February 2023, a representative proceeding was filed in the Federal Court of Australia against the company on behalf of current and former policyholders on the basis that Medibank failed to meet its obligations under contract and in accordance with the Privacy Act.[14] On 29 March 2023, an alternate class action proceeding was filed in the Supreme Court of Victorian on behalf of shareholders, alleging the company had failed to disclose deficiencies in its security systems to the ASX.[15] Cyber-security will continue to develop as a highly competitive area of class action practice as law firms and other stakeholders advance their knowledge in the area, and the OAIC continues to shape its policy in applying Australia’s evolving privacy law.
[1] Shiona McCallum, ‘Meta settles Cambridge Analytica scandal for $725m’ BBC (24 December 2022)
[2] ‘High Court clears way for OAIC case against Facebook to proceed’ Office of the Australian Information Commissioner (7 March 2023)
[3] ‘Optus notifies customers of cyberattack comprising customer information’ Optus (22 September 2022)
‘Cybercrime updates and support’ Medibank .
Yolanda Redrup, ‘Telstra slips up as details of 130,000 customers go online’ Australian Financial Review (11 December 2022)
[4] Amy Remeikis and Paul Karp, ‘Australian companies to face fines of $50m for data breaches’ The Guardian (22 October 2022)
[5] Robert Ishak, ‘(Some) Privacy to the People (Maybe)’ William Roberts Lawyers
[6] Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, Parliament of Australia
[7] (1984) 156 CLR 414, 437-8.
[8] Mense v Milenkovic [1973] VR 784, 801.
[9] Coastal Australia Pty ltd v Emtech Associates Pty Ltd & Ors (1981) 33 ALR 31, 46-47.
[10] (2001) 208 CLR 199.
[11] Paul Karp, ‘Australia to consider European-style right to be forgotten privacy laws’ The Guardian (19 January 2023)
[12] ‘Government response to the Privacy Act Review Report’ Attorney-General’s Department (28 September 2023)
[13] John Davidson, ‘Three law firms join forces for mega privacy case against Medibank’ Financial Review (15 January 2023)
Medibank Data Breach Investigation and Complaint, Maurice Blackburn Lawyers
[14] Ayesha de Kretser, ‘Baker McKenzie turns the tables and takes on Medibank’ Australian Financial Review (8 February 2023)
[15] Jerome Doraisamy, ‘New class action filed against Medibank’ Lawyers Weekly (29 March 2023)
The content of this article is intended to provide a general guide to the subject matter. Specific advice should be sought about your specific circumstances.
