Australian tribunal provides further clarity regarding claims for ‘loss’ and ‘damage’ in a data breach context

Courts around the world hearing claims brought by consumers in respect of data breaches have long grappled with the concepts of ‘loss’ and ‘damage’ in a data breach context. Consumers who have not yet had their stolen data used by cybercriminals commonly make a claim for compensation on the basis that that their data may be used in future.

In recent proceedings (HYYL and Privacy Commissioner [2023] AATA 2961), involving the administrative review of a determination made by the Australian Information Commissioner (Commissioner), the Australian Administrative Appeals Tribunal has ruled that proof of loss or damage is a prerequisite to orders for compensation made by the Commissioner under the Privacy Act 1988 (Cth) s 52.

The background to the matter is as follows:

  • in February 2014, the Department of Home Affairs (Department) released a report containing the personal details of more than 9,086 detainees. The data leak contained names, gender, citizenship, date of birth, period of detention, boat arrival details, and reasons why the individuals were considered an unlawful non-citizen (Breach);
  • a complaint to the Commissioner was lodged and the matter was investigated;
  • during the investigation, the Department issued a notice to the 9,086 affected detainees which set out the process by which class members who believed they had suffered loss or damage as a result of the data breach could establish their eligibility for compensation (Notice);
  • although 9,200 detainees were subject to the Breach, only 2,500 registered to participate in the OAIC proceedings and only 1,295 provided evidence of non- economic loss;
  • in January 2021, the Commissioner made a determination ordering the Department to compensate those detainees who produced proof of economic and non-economic losses resulting from the Breach (Determination); and
  • in February 2021, two of the detainees affected by the breach filed an action in the Administrative Appeals Tribunal (AAT), on behalf of any persons affected by the Determination, for review of the Determination. The applicants argued that all members affected by the leak suffered a common, non-individualised loss and, as a result, should be awarded a base payment of AU$10,000 each, regardless…

Full article available on Disputes +

Latest insights

More Insights
Check-In Newsletter

Check-In - November 2023

Dec 01 2023

Read More
Wind Turbine Farm

The evolution of EU Energy: regulatory reforms post-Paris Agreement

Dec 01 2023

Read More
Defence and Security

Draft Guidelines on the scope of “cookie” rules: EDPB’s expansive interpretation could change the digital landscape

Dec 01 2023

Read More