Australian tribunal provides further clarity regarding claims for ‘loss’ and ‘damage’ in a data breach context

Written By

jonathon ellis Module
Jonathon Ellis

Partner
Australia

I am an experienced litigation and investigations lawyer based in Sydney, leading Bird & Bird's Australian disputes and investigations practice and co-leading our global Defence and Security practice.

julie cheeseman Module
Julie Cheeseman

Partner
Australia

I am a partner in our Sydney office, where I specialise in media and technology disputes and advice.

Courts around the world hearing claims brought by consumers in respect of data breaches have long grappled with the concepts of ‘loss’ and ‘damage’ in a data breach context. Consumers who have not yet had their stolen data used by cybercriminals commonly make a claim for compensation on the basis that that their data may be used in future.

In recent proceedings (HYYL and Privacy Commissioner [2023] AATA 2961), involving the administrative review of a determination made by the Australian Information Commissioner (Commissioner), the Australian Administrative Appeals Tribunal has ruled that proof of loss or damage is a prerequisite to orders for compensation made by the Commissioner under the Privacy Act 1988 (Cth) s 52.

The background to the matter is as follows:

  • in February 2014, the Department of Home Affairs (Department) released a report containing the personal details of more than 9,086 detainees. The data leak contained names, gender, citizenship, date of birth, period of detention, boat arrival details, and reasons why the individuals were considered an unlawful non-citizen (Breach);
  • a complaint to the Commissioner was lodged and the matter was investigated;
  • during the investigation, the Department issued a notice to the 9,086 affected detainees which set out the process by which class members who believed they had suffered loss or damage as a result of the data breach could establish their eligibility for compensation (Notice);
  • although 9,200 detainees were subject to the Breach, only 2,500 registered to participate in the OAIC proceedings and only 1,295 provided evidence of non- economic loss;
  • in January 2021, the Commissioner made a determination ordering the Department to compensate those detainees who produced proof of economic and non-economic losses resulting from the Breach (Determination); and
  • in February 2021, two of the detainees affected by the breach filed an action in the Administrative Appeals Tribunal (AAT), on behalf of any persons affected by the Determination, for review of the Determination. The applicants argued that all members affected by the leak suffered a common, non-individualised loss and, as a result, should be awarded a base payment of AU$10,000 each, regardless…

Full article available on Disputes +

Latest insights

More Insights
Curiosity line yellow background

Six Key Recommendations from Australia's Final Digital Platform Services Inquiry Report: What Digital Platform Businesses Need to Know

Jun 26 2025

Read More
Ferris wheel

Horizon Scanning 2025/2026

Jun 25 2025

Read More
featured image

Has the Revised Product Liability Directive reversed the Burden of proof placing it onto Producers? The Spanish Perspective

9 minutes Jun 24 2025

Read More