Despite unprecedented levels of privacy breaches and ongoing debate, there is still no statutory regime or binding common law in Australia that establishes a cause of action for breach of privacy. However, the upcoming introduction of the mandatory data breach notification law, the Privacy Amendment (Notifiable Data Breaches) Act 2017 – which takes effect on 22 February 2018 – will undoubtedly cast a spotlight on data breaches that affect an individual’s privacy. So, how will the new law impact our privacy?
Gaining unauthorised access to personal or sensitive information has the potential to severely compromise an individual’s privacy and reputation. Despite the significantly increased risk in Australia, there is still a huge underappreciation of the number of data breaches occurring. In a 2017 Report, IBM estimated that in 2016 there were approximately 4 billion records leaked, a 556% increase from the 600 million in 2015.
Data breaches are rapidly increasingly both in frequency and in their widespread publication. The severe financial damage and reputational costs have been highlighted by the data breaches involving Ashley Madison, Yahoo and more recently the Wannacry ransomware attack. As the data breach notification law comes into force we can expect a drastic uptick in publications and discussions around privacy.
In Australia, despite various recommendations by Federal and State Law Reform Commissions, no legislative body or Court has taken the step of developing a binding cause of action for breach of privacy. The absence of this development in Australia is inconsistent with other comparable jurisdictions, including the UK, Europe, New Zealand and some provinces in Canada.
Seriousness of Harm and Law Reform Commissions
To date, there have been five Law Reform Commission reports released, most recently by the South Australian Law Reform Institute in 2016.
An important issue for consideration in the development of a cause of action for breach of privacy is whether an action would require a ‘serious harm’ element. In their most recent report published in 2014, the ALRC defined seriousness as ‘important, demanding consideration, not slight’. In conjunction with creating a threshold for seriousness of harm, more recent Law Reform Commission reports also recommended adopting a narrow scope for bringing an action. Preference for a narrow approach would most likely minimise trivial actions being brought before the Courts.
Harm and Data Breach Notification
The issue of harm also features as part of the upcoming mandatory data breach notification laws. Under the upcoming legislation, a threshold question for when an affected individual is to be notified that their data has been the subject of unauthorised access is where there is a likely risk of ‘serious harm’ from that access.
While ‘serious harm’ is not defined in the Act, factors to be taken into account when determining the likeliness of serious harm include:
- the kinds of information;
- the sensitivity of the information;
- whether the information is protected by one or more security measures;
- the type of people or person who has obtained the information;
- whether the person obtaining the information has an intention to cause harm to any individual to whom the information relates to; and
- the nature of the harm.
We expect case law to develop on the issue of serious harm and we will keep you updated on any developments.
As the mandatory notification law comes into effect and privacy breaches become more widespread and widely publicised, we consider that Australia may develop a statutory cause of action or tort for breach of privacy, especially in light of the position in other jurisdictions.
If such a law does develop, we believe that a serious harm element is likely to be included, to mitigate the prospects of opening the floodgates to a wave of claims.
Impact for Organisations and Insurers
Given the current legal landscape in Australia with no tort or statutory regime for breach of privacy, We expect the mandatory data breach notifications laws may lead to a surge in regulatory investigations. In particular, the Office of the Australian Information Commissioner (OAIC) will be tasked with enforcing the new laws and ensuring compliance with the Australian Privacy Principles. The OAIC has power to issue significant fines to individuals and organisations for breaches of the Privacy Act.
Cyber insurance policies generally provide cover for the reasonable costs of responding to or defending an investigation by the OAIC as well as any fines issued. With the new legislation soon to take effect, it is a timely reminder to organisations to either review the scope and limit of cover under their current cyber policy or consider obtaining an appropriate policy depending on the size and nature of the organisation.