How much is your privacy worth? Assessing compensation for breaches of the Privacy Act

By Ian Temby, Kate Ervin
03 Feb 2022
A year on from "WP" and Secretary, Department of Home Affairs, the categories of non-economic loss it sets out remain a helpful guide to assessing compensation under the Privacy Act.

On 11 January 2021 the Australian Information Commissioner delivered her determination in "WP" and Secretary, Department of Home Affairs [2021] AICmr 2 (WP), setting out a scale of the compensation payable for non-economic loss suffered as a result of the privacy breach that had occurred in that matter (publishing a report which permitted access to certain identifying information of people in detention as at a particular date). A review of the Commissioner's determination over the past year demonstrates that this scale remains a useful tool when assessing the compensation that is likely to be awarded for a breach of the Privacy Act.

The WP categories of non-economic loss

WP is the determination of a representative complaint, in which the Commissioner established a process to assess the compensation to be paid to class members. As part of that process, compensation for non-economic loss was to be calculated in accordance with the following categories:

Category

Indicative quantum

0. The individual has not provided a submission and/or evidence that substantiates loss or damage resulting from the Data Breach.

$0

1. General anxiousness, trepidation, concern or embarrassment, resulting from the Data Breach

$500 - $4,000

2. Moderate anxiousness, fear, pain and suffering, distress or humiliation, resulting from the Data Breach, which may cause minor physiological symptoms, such as loss of sleep or headaches, and may result in a consultation with a health practitioner

$4,001 - $8,000

3. Significant or prolonged anxiousness, fear, pain and suffering, distress or humiliation, resulting from the Data Breach, which may cause psychological or other harm, and may result in a prescribed course of treatment from a general practitioner

$8,001 - $12,000

4. The development or exacerbation of a mental health condition as a result of the Data Breach, resulting in a referral to a mental health specialist for treatment

$12,001 - $20,000

5. Extreme loss or damage resulting from the Data Breach.

> $20,000

What compensation has been awarded since WP?

The Commissioner has only awarded compensation in four published determinations in the year since she made the WP determination. However, each of those awards has been consistent with the WP categories:

  • In "WZ" and CEO of Services Australia (Privacy) [2021] AICmr12, the complainant experienced fear, psychological distress and anxiety, including a reactivation of the complainant's psychological symptoms, over a period of approximately three years. The complainant was awarded $10,000 for non-economic loss, which is consistent with category 3.
  • In "XA" and CEO of Services Australia (Privacy) [2021] AICmr 13, the complainant experienced frustration, annoyance and some distress, but did not experience "anxiety" in a clinical sense. The complainant was awarded $1,000 for non-economic loss, which is consistent with category 1.
  • In "XH" and "XI" (Privacy) [2021] ACmr23, the complainant experienced frustration, hurt feelings and distress, but did not experience any clinically diagnosed mental health issues or attendance with any health practitioner in relation to their emotional response to the privacy breach. The complainant was awarded $2,500 for non-economic loss, which is consistent with category 1.
  • In "XU" and Amazon Australia Services Inc (Privacy) [2021] AICmr 42, the complainant experienced hurt feelings and sought counselling, but was not diagnosed with anxiety, depression or psychological damage. The complainant was awarded $3,000 for non-economic loss, which is consistent with category 1. Further, in her determination, the Commissioner noted that the complainant had referred to the WP categories and indicated that the comparable category would be category 1.

What does this mean for other privacy complaints?

While the Commissioner stated in WP that the categories were specific to the circumstances of that case and were not intended to be used as a formula to determine compensation for non-economic loss in other cases, (a caveat she repeated in "XU"), the categories reflect the approach the Commissioner has taken when calculating compensation for non-economic loss in each of the determinations she has made since WP.

WP is currently under review by the Administrative Appeals Tribunal. Subject to any further guidance provided by the Tribunal in its decision, we consider that the WP categories are likely to remain a useful guide to the amount of compensation payable for non-economic loss caused by a privacy breach.

Get in touch

Disclaimer
Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.