Australian tribunal provides further clarity regarding claims for ‘loss’ and ‘damage’ in a data breach context

Written By

jonathon ellis Module
Jonathon Ellis

Partner
Australia

I am an experienced litigation and investigations lawyer based in Sydney, leading Bird & Bird's Australian disputes and investigations practice and co-leading our global Defence and Security practice.

julie cheeseman Module
Julie Cheeseman

Partner
Australia

I am a partner in our Sydney office, where I specialise in media and technology disputes and advice.

emma croft Module
Emma Croft

Senior Associate
Australia

I am a senior associate in our Dispute Resolution Group in Sydney, specialising in media and technology disputes, commercial litigation and privacy and cybersecurity advisory work.

Courts around the world hearing claims brought by consumers in respect of data breaches have long grappled with the concepts of ‘loss’ and ‘damage’ in a data breach context. Consumers who have not yet had their stolen data used by cybercriminals commonly make a claim for compensation on the basis that that their data may be used in future.

In recent proceedings (HYYL and Privacy Commissioner [2023] AATA 2961), involving the administrative review of a determination made by the Australian Information Commissioner (Commissioner), the Australian Administrative Appeals Tribunal has ruled that proof of loss or damage is a prerequisite to orders for compensation made by the Commissioner under the Privacy Act 1988 (Cth) s 52.

The background to the matter is as follows:

  • in February 2014, the Department of Home Affairs (Department) released a report containing the personal details of more than 9,086 detainees. The data leak contained names, gender, citizenship, date of birth, period of detention, boat arrival details, and reasons why the individuals were considered an unlawful non-citizen (Breach);
  • a complaint to the Commissioner was lodged and the matter was investigated;
  • during the investigation, the Department issued a notice to the 9,086 affected detainees which set out the process by which class members who believed they had suffered loss or damage as a result of the data breach could establish their eligibility for compensation (Notice);
  • although 9,200 detainees were subject to the Breach, only 2,500 registered to participate in the OAIC proceedings and only 1,295 provided evidence of non- economic loss;
  • in January 2021, the Commissioner made a determination ordering the Department to compensate those detainees who produced proof of economic and non-economic losses resulting from the Breach (Determination); and
  • in February 2021, two of the detainees affected by the breach filed an action in the Administrative Appeals Tribunal (AAT), on behalf of any persons affected by the Determination, for review of the Determination. The applicants argued that all members affected by the leak suffered a common, non-individualised loss and, as a result, should be awarded a base payment of AU$10,000 each, regardless…

Full article available on Disputes +

Latest insights

More Insights
featured image

Saudi Arabia: Public consultation on draft changes to the Data Protection Regulations

6 minutes May 08 2025

Read More
Curiosity line green background

Privacy by Design: The Standard for Information Systems Under Australian Law

May 08 2025

Read More
featured image

KSA: SDAIA Opens Consultation for New Data Protection Consultancy Rules

3 minutes May 01 2025

Read More