Courts around the world hearing claims brought by consumers in respect of data breaches have long grappled with the concepts of ‘loss’ and ‘damage’ in a data breach context. Consumers who have not yet had their stolen data used by cybercriminals commonly make a claim for compensation on the basis that that their data may be used in future.
In recent proceedings (HYYL and Privacy Commissioner  AATA 2961), involving the administrative review of a determination made by the Australian Information Commissioner (Commissioner), the Australian Administrative Appeals Tribunal has ruled that proof of loss or damage is a prerequisite to orders for compensation made by the Commissioner under the Privacy Act 1988 (Cth) s 52.
The background to the matter is as follows:
in February 2014, the Department of Home Affairs (Department) released a report containing the personal details of more than 9,086 detainees. The data leak contained names, gender, citizenship, date of birth, period of detention, boat arrival details, and reasons why the individuals were considered an unlawful non-citizen (Breach);
a complaint to the Commissioner was lodged and the matter was investigated;
during the investigation, the Department issued a notice to the 9,086 affected detainees which set out the process by which class members who believed they had suffered loss or damage as a result of the data breach could establish their eligibility for compensation (Notice);
although 9,200 detainees were subject to the Breach, only 2,500 registered to participate in the OAIC proceedings and only 1,295 provided evidence of non- economic loss;
in January 2021, the Commissioner made a determination ordering the Department to compensate those detainees who produced proof of economic and non-economic losses resulting from the Breach (Determination); and
in February 2021, two of the detainees affected by the breach filed an action in the Administrative Appeals Tribunal (AAT), on behalf of any persons affected by the Determination, for review of the Determination. The applicants argued that all members affected by the leak suffered a common, non-individualised loss and, as a result, should be awarded a base payment of AU$10,000 each, regardless…