Faceplant: Are multiple civil penalties (im)possible for the one privacy breach?

Print Friendly, PDF & Email

By Alec Christie, Partner

As you likely have read, for the first time since their introduction the Office of the Australian Information Commissioner/Privacy Commissioner (OAIC) has filed proceedings seeking the imposition of civil penalties under s13G of the Privacy Act for both a serious interference and repeated interferences with the privacy of individuals by Facebook.

The fact that the enforcement action is against Facebook, arises from the well-publicised Cambridge Analytica/This Is Your Digital Life app issues, involves some 311,127 Australian Facebook users (Affected Individuals) and with potentially extremely large civil penalties to be imposed, is enough to attract significant media and community attention.

However, the real and lasting impact (and tangible significance) of this for Australian businesses will be the OAIC’s approach (if they are successful) to the imposition of the civil penalties available to them.

The current thinking

The OAIC’s ability to seek the Federal Court to impose civil penalties under the Privacy Act became ‘live’ in February 2014. At the time this was seen as a significant step up for the OAIC, in terms of the ‘stick’ that it could wield. Up until last week, however, the OAIC had not yet sought to impose civil penalties on anyone and there was uncertainty as to precisely how these civil penalties might be applied.

The ‘common wisdom’ was that any civil penalty imposed would apply to the totality of the event and all the individuals involved, not to each of the individuals whose privacy was interfered with as a result of the event. That is, whether there was one or 100,000 individuals concerned, the breach of the relevant APP (i.e. the serious interference with privacy impacting all of them) arising out of that one event would be subject to the one civil penalty of, as it was then, up to $1.7 million (now $2.1 million) (Single Fine Theory). For alleged repeated interferences with privacy (s13G(b) of the Privacy Act) the widely held belief is also that only the one civil penalty of up to $1.7 million (now $2.1 million) would be imposed for the entirety of both the one ‘set’ of repeated interferences and the group of individuals affected by such (again, the Single Fine Theory).

The OAIC’s Statement of Claim (Claim)

The Claim filed by the OAIC reveals a possible alternative to the Single Fine Theory. That is, for a serious interference (and possibly the repeated interferences) with an individual’s privacy the civil penalty should be applied in respect of each of the Affected Individuals (Multiple Fines Theory).

Under the Multiple Fines Theory the OAIC could seek to have a civil penalty of up to $1.7 million (as it was then) imposed on Facebook for each of the Affected Individuals to which a serious interference with their privacy (or repeated interferences with their privacy) occurred, even though all such serious interferences with privacy arose from the one event/breach.

While we do not yet know the precise amount of the civil penalties sought by the OAIC, at 311,127 Affected Individuals times $1.7 million (as the maximum potential civil penalty), if successful for all these Affected Individuals, the theoretical total maximum penalty that could be sought to be imposed on Facebook is a staggering $528 billion for each of the two claimed breaches (specifically of APPs 6 and 11) leading to a serious interference/repeated interferences with the privacy of the individuals.

Even though these fines are at the Court’s discretion (and something tells me $528 billion per claimed breach is off the table), the Multiple Fines Theory is not a ‘slam dunk’ and the number of Affected Individuals may ultimately be limited to those that the OAIC can prove suffered a serious interference (or repeated interferences) with their privacy, this could still be a total fine in the hundreds of millions of dollars if the Multiple Fines Theory is applied successfully.

The APP 6 grounds

APP 6 requires that personal information of an individual collected for a particular notified purpose (often referred to as the ‘primary purpose’) cannot be disclosed or used for a secondary purpose unless the individual has consented to such secondary disclosure or a specific exception applies which permits the disclosure or use for that secondary purpose.

In the absence of any specific exception applying or consent having been obtained from each of the Affected Individuals, any use or disclosure of the personal information of each Affected Individual beyond the primary purpose will be an infringement of APP 6 and thus an interference with the privacy of each individual concerned (s13 of the Privacy Act). Where it can be shown that such an interference is a serious interference of privacy of that individual the civil penalty (up to a maximum of $1.7 million in this case) is ‘available’ to be imposed by the Federal Court for each such individual.

Alternatively, if this is not a serious interference for each Affected Individual in his/her own right then, as either: (a) a number of continuing or repeated breaches/interferences for each individual; or (b) repeated breaches/interferences for the group of Affected Individuals (i.e. when taken as a whole), under s13G (b) of the Privacy Act a civil penalty could be imposed for repeated interferences with the privacy of individuals. In this case this could, for (a) under the Multiple Fines Theory, be grounds for the application of a civil penalty potentially for each of the Affected Individuals or, for (b), more likely to be a single fine of up to $1.7 million for the entirety of the ‘set’ of repeated interferences and the whole group of all Affected Individuals.

The APP 11 grounds

The OAIC’s request for civil penalties for the infringement of APP 11 (i.e. not taking reasonable measures to secure the information from unauthorised disclosure etc.) is more likely to be considered under the Single Fine Theory as a single event which, if not a serious interference with privacy of an individual in its own right, is likely repeated interferences for the group of Affected Individuals and is thus possibly subject only to a single civil penalty of up to $1.7 million under the Single Fine Theory. That is, Facebook would not be liable to a civil penalty for each of the Affected Individuals for the repeated interferences with privacy occasioned by the breach of APP 11 in this case.

Of course, even if the Single Fine Theory was the approach, the OAIC could seek that civil penalties apply to every security breach which is a breach of APP 11.1 (e.g. each of the five reasonable steps they plead at [76] in the Claim that Facebook should have taken but did not). That is, 5 × up to $1.7 million as the civil penalties to be applied for all of the separate security breaches/breaches of APP 11.1.

Wider ramifications

If the OAIC is successful with the Multiple Fines Theory, this case is a game changer. What was once considered one of the smallest fines for non-compliance will, overnight, have become potentially one of the largest regulatory fines for non-compliance with any law by a significant factor. For example, under the Multiple Fines Theory a serious interference with the privacy of an individual relating to just 100 individuals arising from a single privacy event/breach may expose a company to civil penalties of up to $170 million!

The further ‘bad news’ for businesses is that, if the Multiple Fines Theory is approved by the Court in relation to a breach of APP 6, breaches of APPs 3.3, 3.6, 4, 5, 7, 8, 9, 12 and 13, if found to be a serious interference with the privacy of an individual, would also lend themselves to the same reasoning for the quantum of civil penalties. Also, it may make any capped coverage for fines under a number of current Australian cyber and privacy insurance policies look a bit anaemic or, alternatively, make a few insurers with unlimited liability for fines in their policies feel very nervous.

The time is now

With the renewed focus of the media and the community on company failings in respect of privacy and of regulators (in particular in Financial Services) on cyber security and information management, can your organisation afford not to address privacy and cyber security? Even if you could bear the damage to your reputation, if the Multiple Fines Theory is supported by the Court in this case you will likely not be able to afford the potential civil penalties for a serious interference with the privacy of 1,000 or more individuals, even if it arises from the one privacy event/breach.

Boards are responsible, as part of their directors’ duties, for the cyber security preparedness of the organisation and, more and more, for compliance generally, including with privacy law. Management, risk, IT and the in-house legal functions must now elevate the twin pillars of cyber security and privacy compliance to the top of the first page of their to-do list – their organisation can’t afford for them not to. Now is the time to ensure that your privacy and information security practices are compliant or, at least, that you have done enough to avoid your actions (or lack of them) being considered a serious interference (or repeated interferences) with the privacy of an individual, resulting in an action by the OAIC for imposition of civil penalties for each of the affected individuals.

Given the potential size of the civil penalties (if the Multiple Fines Theory is successful) now is the time to consider your organisation’s:

  1. cyber and privacy insurance coverage;
  2. current compliance with cyber and privacy obligations; and
  3. ongoing assurance of cyber and privacy compliance,

and, in each case, your responsibility and liability for the third parties you ‘partner’ with.

Of course, we are happy to assist you with these assessments.

For further information, please do not hesitate to contact us.

Get the latest news insights and articles straight to your inbox, simply enter your details.

[zc4wp_sa70]

Digital Law

Faceplant: Are multiple civil penalties (im)possible for the one privacy breach?