Global litigation funder IMF Bentham Ltd (IMF) has launched a representative complaint with the Office of the Australian Information Commissioner (OAIC) seeking, amongst other things, financial compensation for alleged breaches of the Privacy Act 1988 (Cth) by Facebook Inc (Facebook). The action relates to unauthorised access to over 87 million Facebook users’ data by political consulting firm, Cambridge Analytica.

The class action has the potential to be formed by over 300,000 Australian class members who are alleged to be affected. The news of the IMF action coincides with the UK Information Commissioner’s announcement this week of its intention to fine Facebook £500,000 for breaching UK laws by failing to safeguard its users’ data and failing to be transparent about how data was harvested by others on its platform.

Do we expect more privacy related class actions in Australia?


As we have considered for some time, we expect Australia to follow the trends seen in the US in relation to privacy related class actions. In the US, cyber-related “data breach” class actions have become common. In 2016, 76 federal data breach class actions were filed in the United States District Courts, representing a 7% increase in the number of cases filed compared to the previous year.

What’s more, cyber-related investor class actions in the US had been historically limited to shareholder derivative actions claiming that a company’s directors and officers failed to properly oversee the organisations’ cyber risks. In the past twelve months, however, this has changed with several high-profile securities fraud class actions arising out of cyber incidents at Fortune 500 Companies.

How a rise in class actions will affect companies

The rise in data breaches has resulted in a significant increase in investor scrutiny of a company’s cyber security as a data breach can have a detrimental effect on a company’s reputation and its share price. Companies that do not have reasonable cyber security measures in place could find themselves on the wrong end of a regulatory investigation or shareholder class action. In particular, directors and officers need to be aware of the increasing risk data breaches pose, especially in relation to their duty to act with care and diligence in their role.

We will soon be releasing a dedicated blog about what directors and officers need to know in order to protect themselves from exposure to cyber-related class actions, to ensure they are well positioned to deal with the new regulatory landscape and the start of privacy-based class actions in Australia. If you are not already subscribed to our blog, you can do so here.