11 December 2020

56.     How should any direct right of action under the Act be framed so as to give individuals greater control over their personal information and provide additional incentive for APP entities to comply with their obligations while balancing the need to appropriately direct court resources?

10.1 The OAIC supports the introduction of a direct right of action for individuals to seek compensation for an interference with their privacy under the Privacy Act. A direct right of action would give individuals greater control over their personal information by providing an additional avenue of redress under the Privacy Act. It would also provide an additional incentive for APP entities to comply with their privacy obligations.

10.2 A direct right of action would complement the OAIC’s recommended enhancements to the Commissioner’s enforcement powers (see Part 9, above), providing individuals with the right to seek judicial redress of their own accord, in addition to the suite of regulatory outcomes available from the OAIC. This proposal is also consistent with the OAIC’s 2020 ACAPs results, which showed that 78% of respondents believe that they should have the right to seek compensation in the courts for a breach of privacy.

10.3 Several domestic regulatory regimes already enable individuals to directly take action in court to seek compensation for breaches of the law. For example, under the CDR regime in the Competition and Consumer Act 2010 (Cth), individuals have the right to bring an action for damages against another person for breach of the privacy safeguards or the Consumer Data Rules (to the extent that those rules relate to the privacy safeguards or to the privacy or confidentiality of CDR data).[218]

10.4 More broadly, a direct right of action would bring the Australian privacy framework into line with other international jurisdictions including the United Kingdom, New Zealand, Japan, Singapore and the European Union.

Framing a direct right of action

10.5 The OAIC supports the ACCC’s recommendation in the DPI final report that individuals should have a direct right to bring actions and class actions against APP entities in the Federal Court or the Federal Circuit Court to seek compensatory damages, as well as aggravated and exemplary damages (in exceptional circumstances), for the financial and non-financial harm suffered as a result of an interference with privacy under the Privacy Act.[219]

10.6 The OAIC has a number of recommendations, set out below, about the way that a direct right of action should be framed under the Privacy Act. In making these recommendations, the OAIC acknowledges the need to balance the benefits of a direct right of action for individuals and APP entities with the need to ensure that court resources are being appropriately directed and are not taken up by trivial breaches of the Privacy Act or APPs.

Harm threshold

10.7 The Issues Paper notes that one way of achieving this balance may be to limit the right of direct action to the courts to ‘serious’ breaches of the Act or APPs.

10.8 The OAIC considers that limiting the direct right of action to ‘serious’ breaches of privacy would substantially curtail its effectiveness. In particular, a key benefit of a direct right of action is to provide individuals with greater agency and control over the handling of their personal information. Limiting the direct right of action to ‘serious’ breaches would preclude many individuals from seeking recourse in the courts for breaches of their privacy. It follows that this would also limit other potential benefits, including increased opportunities for the courts to interpret the APPs and incentivising APP entities to comply with their obligations.

10.9 Several international jurisdictions with private rights of action under their domestic privacy legislation do not prescribe a particular harm threshold that must be met before an individual can seek redress in the courts.

10.10 For example, Singapore’s Personal Data Protection Act 2012 provides that any person who suffers loss or damage directly as a result of a contravention of the Act by an organisation shall have a right of action for relief in civil proceedings in a court.[220] Similarly, under Article 79 of the GDPR, data subjects have a general right to ‘an effective judicial remedy against a controller or processor’ where they consider that their data protection rights have been infringed as a result of non-compliance with the GDPR. Under Article 82, any person who has suffered material or non-material damage (such as emotional distress) as a result of a violation of the GDPR has the right to compensation. Compensation is the remit of the courts and cannot be awarded by supervisory authorities under the GDPR or the UK’s Data Protection Act 2018. Supervisory authorities do, however, have the ability to impose administrative fines.

Recommendation 51 Ensure that the direct right of action is not limited to ‘serious’ breaches of the Privacy Act or the APPs.

Procedural considerations

10.11 The Issues Paper highlights that a key consideration is whether individuals should first be required to undergo conciliation by the OAIC, or some other administrative body, before commencing action in the courts. Alternatively, complainants could choose which avenue to pursue in the first instance. That is, individuals could elect whether to apply directly to the courts, or to seek conciliation with the OAIC, depending on their preference.

10.12 The OAIC considers that the direct right of action should be framed so that individuals are required to make a complaint to the OAIC before applying to the courts. Further, similar to the existing approach under s 41 of the Privacy Act, the Commissioner should be provided with the appropriate powers to decline to investigate a complaint where it is more appropriately dealt with in the courts. In these circumstances, the individual or class of individuals could then pursue further redress in the courts through the direct right of action.

10.13 This approach should be consistent with the existing complaint-handling provisions under the Privacy Act which do not require the OAIC to attempt to resolve the complaint through conciliation where the OAIC has decided not to investigate, or not to further investigate, a complaint.

10.14 The OAIC considers that the direct right of action would be a more appropriate vehicle for representative complaints in certain circumstances. Consistent with the above, the Commissioner should have appropriate powers to decline to investigate a representative complaint where it is more appropriately dealt with by the courts.

10.15Additionally, the existing representative complaint provisions do not provide the OAIC with the full suite of powers that are available to the Federal Court for the management of class actions under the Federal Court of Australia Act 1976 (Cth) (Federal Court Act). For example, s 38B(2) of the Privacy Act states that a class member in a representative complaint may opt out if the complaint was lodged without the consent of the member at any time, or otherwise at any time before the Commissioner begins to hold an inquiry into the complaint. This means that the Commissioner is unable to put a definitely timeframe on opting out. This contrasts with s 33J of the Federal Court Act, which states ‘The court must fix a date before which a group member may opt out of a representative proceeding.’

10.16 Accordingly, the OAIC recommends that the representative complaint provisions under Part V of the Privacy Act are revised to ensure greater alignment with the powers of the Federal Court under the Federal Court Act in relation to the management of class actions.

10.17 The OAIC considers that this approach would continue to provide the OAIC with national oversight of privacy issues and the ability to identify potential systemic issues in the system that may warrant further regulatory or enforcement action. Additionally, it may reduce the burden on the court system by continuing to provide individuals with a free dispute resolution mechanism while still providing more direct access to the courts than the current complaint mechanisms under the Act.

Recommendation 52 Ensure that the direct right of action is framed so that individuals are required to make a complaint, or a representative complaint, to the OAIC before applying to the courts.

Recommendation 53 Ensure that the Commissioner has appropriate powers to decline to investigate a complaint or representative complaint, or continue to investigate a complaint or representative complaint, where the matter is more appropriately dealt with by the courts.

Recommendation 54 Revise the representative complaint provisions under Part V of the Privacy Act to ensure greater alignment with the powers available to the Federal Court under the Federal Court Act in relation to the management of class actions.

Damages

10.18 Capping compensation may be justified on the basis that it may reduce the incentive for parties to litigate, making the right of action potentially less costly. However, capping the amount of damages that may be awarded could lead to a preponderance of lesser rather than more serious breaches of the Privacy Act coming before the courts and a lack of confidence in the direct right of action.

10.19 While most examples of direct rights of action for consumers relate to financial or other consumer complaints where loss and damage is usually easily quantifiable (i.e. it is financial harm or economic loss), the compensation regime for unlawful discrimination under the Australian Human Rights Act 1986 (Cth) provides for damages to be awarded for non-economic loss, including hurt, humiliation and distress with no damages cap.

10.20 In quantifying such awards of damage, the decided cases indicate that awards should be restrained but not minimal, and not so low as to diminish the respect for the public policy of the legislation. Aggravated and exemplary damages have also been awarded in limited unlawful discrimination matters.

10.21 The OAIC does not consider that compensation should be capped in relation to the direct right of action under the Privacy Act. This will enable the courts through their judgments to set standards for appropriate types and levels of damages for privacy breaches taking into account the particular facts and circumstances of each case. This approach would also enable compensation amounts awarded by courts to reflect, and keep pace with, the changing landscape of privacy harms.

Recommendation 55 Ensure that damages recoverable under a direct right of action for privacy breaches are not capped.

Role of the OAIC

10.22 A clear role for the OAIC in the direct right of action will help to ensure that the court has access to the expertise of the regulator. The Issues Paper notes this could be done by allowing the Commissioner to be heard in proceedings and provide expert assistance as amicus curiae.

10.23 The role of an intervener is to represent the intervener’s own legal interests in the proceedings.[221] For example, a court’s decision might have an effect on the future interpretation of laws affecting the intervener. In these circumstances, the court could give leave to the Commissioner to intervene in a case that would have future repercussions for the work of the OAIC or for regulated entities more broadly.

10.24 Other domestic regulators have specific rights in relation to direct rights of action under their legislation. Specifically, ASIC and the ACCC have rights to intervene in certain proceedings with all the rights, duties and liabilities of a party. Both ASIC and the ACCC have developed guidelines including principles to be considered when deciding whether to intervene.

10.25 An amicus curiae is a person who seeks to assist the court and does not involve becoming a party to the proceedings. Again, other domestic regulators have a right to seek leave of the court to appear as amicus curiae. For example, ASIC may appear as amicus curiae under court rules (e.g. Federal Court (Corporations) Rules 2000) or, where applicable, the court’s own inherent authority.

10.26 Similarly, special-purposes Commissioners (as defined under various human rights legislation) have a right to assist the court as amicus curiae. The Commissioners' amicus curiae function can only be exercised with the leave of the Federal Court where the Court is hearing an application alleging unlawful discrimination under Division 2, Part IIB of the Human Rights and Equal Opportunity Commission Act (Cth). The Commissioner/s may seek leave to appear as amicus where the:

  • Commissioner thinks the orders may affect to a significant extent the human rights of persons who are not parties to the proceedings
  • proceedings, in the opinion of the Commissioner, have significant implications for the administration of the relevant Act/s, or
  • proceedings involve special circumstances such that the Commissioner is satisfied that it would be in the public interest for the Commissioner to assist the Court as amicus.

Recommendation 56 Supplement the direct right of action with legislative options for the OAIC to exercise:

  • a right to intervene in proceedings (or alternatively to seek the leave of the court to intervene)
  • a right to seek leave of the court to act in the role of amicus curiae in the proceedings.

Footnotes

[218] Competition and Consumer Act 2010 (Cth), s 56EY.

[219] Australian Competition and Consumer Commissioner, Digital Platforms Inquiry Final Report (June, 2019), 472.

[220] Section 32, Personal Data Protection Act 2012 (Singapore).

[221] Australian Law Reform Commission (ALRC) (2014) Serious Invasions of Privacy in the Digital Era (ALRC Report 123), ALRC, Australian Government, accessed 29 November 2020.