Privacy remedies: When emotional harm can lead to financial pain

May, 2015

By Christina Graves, Senior Associate and Sharon Sangha, Lawyer

Determinations made under the Privacy Act 1988 demonstrate that the Privacy Commissioner will likely award compensation for non-economic loss where an individual suffers emotional harm, humiliation or inconvenience as a result of a privacy breach. However, responding to privacy incidents in an efficient and conciliatory way may reduce the extent of the harm and the risk of aggravated damages being awarded.

Privacy regulatory action since the reforms

According to its website, the Office of the Australian Information Commissioner (OAIC) has seen a significant increase in the number of privacy complaints (up 43%) and privacy enquiries since the privacy reforms commenced on 12 March 2014. From that time to date, there has also been an increase in privacy regulatory action by the OAIC with:

The Privacy Commissioner also recently accepted an enforceable undertaking from Optus following three significant privacy incidents, being the first enforceable undertaking made under the privacy reforms.

Trends in compensation awards
Under the Privacy Act, if the Privacy Commissioner finds that a privacy breach has occurred, he may determine that an individual is entitled to loss or damage suffered as a result of the breach, including economic and non-economic loss.

The Privacy Commissioner has awarded compensation for non-economic loss (distress, humiliation and other emotional harm) in 6 of the 7 privacy determinations published since March 2014, ranging from $5,000 (‘CP’ and Department of Defence [2014] AICmr 88) to $18,000 (‘DK’ and Telstra Corporation Limited [2014] AICmr 118). In doing so, the Privacy Commissioner has applied the principles in Rummery and Federal Privacy Commissioner and Anor [2004] AATA 1221 (where $8,000 was awarded), which include the following:

In the most recent privacy determinations:

Aggravated damages

While no awards of compensation for aggravated damages appear to have been made since 2010, it would be open to the Privacy Commissioner to do so, particularly if:

This highlights the importance of implementing systems and procedures to not only reduce the risk of privacy breaches in the first instance, but also an entity’s response to privacy incidents.

Contact Mills Oakley

For more information, please contact:

rohan-white

Rohan White | Partner
T: +61 2 8289 5863
E: rwhite@millsoakley.com.au

Privacy Policy | Terms of Use