In Europe, privacy regulators are sending clear signals that companies need to take collection, use and disclosure of personal information seriously.
On 16 October, The UK Information Commissioner’s Office (ICO) fined British Airways A$36 million (£20 million). This comes on the back of a A$57 million (€35 million) fine issued to clothing retailer H&M by the Hamburg Data Protection Commissioner. This fine – the second highest ever at the time – was despite the Hamburg Commissioner saying that H&M’s response was ‘an unprecedented acknowledgement of corporate responsibility following a data protection incident.’
In September this year, the Commonwealth Privacy Commissioner also handed down determinations relating to privacy breaches. On 11 September, the Acting Commissioner made an order for $2,500 in damages. On 2 September the Commissioner made an order for $6,295. This included an order for aggravated damages .
So what’s going on? Why is there such a huge difference between the Europe and Australia?
Apples and Oranges
Well first – the comparison I have made is a little unfair – the decisions made in Europe related to privacy violations that affected many more individuals. The OAIC investigations each had only one complainant, whereas the ICO investigation related to over 400 000 individuals and the H&M investigation involved highly detailed dossiers on several hundred employees.
But this just raises another question – why isn’t the OAIC pursuing large companies for violating privacy law?
Damages or fines?
Under the Privacy Act, the Information Commissioner can make a ‘determination’ that an organisation has interfered with the privacy of individuals. Such a determination can include an order to pay monetary compensation to those individuals. The Privacy Act also provides for ‘civil penalties’ – i.e. fines – to be imposed where an organisation has either repeatedly violated peoples privacy or engaged in a serious violation of privacy (more on this later).
Damages for interfering with privacy
The Information Commissioner determinations I referred to above included orders for damages. However, these orders provided for relatively small amounts to be paid to the complainants. These amounts pale in comparison to the amounts of compensation that are being paid in Europe under the GDPR.
Part of the reason for this lies in the principles that are applied in assessing damages for breaches of the Privacy Act. The case of Rummery and Federal Privacy Commissioner established that:
- where a complaint is substantiated and loss or damage is suffered, the legislation contemplates some form of redress in the ordinary course;
- awards should be restrained but not minimal;
- in measuring compensation, the principles of damages applied in tort law will assist, although the ultimate guide is the words of the statute;
- compensation should be assessed having regard to the complainant’s reaction and not to the perceived reaction of the majority of the community or of a reasonable person in similar circumstances.
The upshot of these principles – the second one in particular – is that if your privacy gets violated, you won’t get much compensation. This acts as a disincentive for businesses to prioritise protection of personal information. The effect of such low awards is that the consequences of getting caught are lower than the costs of putting in place preventive technical and organisational measures.
Enforcement policy and resourcing
The consequences of getting caught are further lowered by the approach that the OAIC takes in responding to privacy complaints. First, there is a statutory obligation when investigating a complaint, to make a reasonable attempt to conciliate the complaint (s 40A). Beyond this, the OAIC’s ‘preferred regulatory approach … is to work with entities to facilitate legal and best practice compliance.’ In other words, it does not take a robust approach to dealing with inferences with privacy.
This focus is reflected in the relatively small amount of Commissioner decisions dealing with Privacy as opposed to the part of the OAIC’s work – freedom of information. As of 17 October 2020, the Commissioner has handed down 53 determinations this year. Only seven of these have related to privacy.
Enforcement is also being hampered by funding constraints. Recently it was revealed that
that the agency failed to achieve seven of its eight performance goals for the 2019-20 financial year, heightening fears that it is not adequately resourced to conduct its important role.Denham Sadler, Privacy office is still ‘severely underfunded’
So this means that investigations into complaints are not able to be completed on a timely basis. Moreover, the OAIC is less able to initiate investigations on its own initiative. Accordingly, the likelihood of being caught violating privacy is also low.
It is also important to note that the first Australian class action flowing from a privacy violation was covered by state legislation, and the matter settled for an undisclosed sum.
What about fines?
So far, I’ve mainly been talking about compensation. Another aspect of the OAICs enforcement powers are civil penalties – aka fines. Recall that civil penalties can only be issued if there is a repeated violation or the violation is serious enough to warrant such penalties.
To date, there have been no civil penalties issued for serious or repeated violations of privacy. However, this may change soon. The Commissioner is currently applying to the Federal Court for civil penalty orders against Facebook for breaching the privacy of 300 000 users in relation to data harvesting by Cambridge Analytica.
This matter is still in the pre-trial stage, and it is unlikely that there will be judgment this year. That means that there will be at least five years between the initial disclosure of the misconduct and any penalty. Thus, the civil penalty process is slow and, in light of the fact that it involves court proceedings, costly. Compare the H&M breach which was discovered in October 2019 and where the fine was issued in October 2020. The British Airways breach to fine timeframe – June 2018 to 16 October 2020 – was also considerably shorter than the OAIC’s Facebook matter.
In March 2019, the Federal Attorney-General and Communication minister announced proposed reforms to Federal privacy law
The reforms were to
Increase penalties … from the current maximum penalty of $2.1 million for serious or repeated breaches to $10 million or three times the value of any benefit obtained through the misuse of information or 10 per cent of a company’s annual domestic turnover – whichever is the greater
Provide [the OAIC] with new infringement notice powers backed by new penalties of up to $63,000 for bodies corporate and $12,600 for individuals for failure to cooperate with efforts to resolve minor breachesAG’s Press Release
There was also an
additional $25 million [allocated to the OAIC] over three years to give it the resources it needs to investigate and respond to breaches of individuals’ privacy and oversee the online privacy rules.AG press release
Notwithstanding this additional funding, as noted above, the OAIC is still underfunded to the point that it is unable to meet its key performance indicators.
Legislation to give effect to these reforms was to be drafted in the second half of 2019. These reforms seem to have been subsumed into the Federal Government’s December 2019 response to the ACCC Digital Platforms Inquiry. This response mapped out comprehensive changes to federal privacy law to bring it into closer alignment with external jurisdictions such as the EU and it’s GDPR. See here for a concise summary of these changes. As of the time of writing, this process seems to have stalled: no draft legislation has has yet been released as yet.
So for now, we are left with an limited ability to recover under the Privacy Act, a conciliatory enforcement policy and an under-resourced regulator.
In response to this, we have seen the ACCC and ASIC have taken up the mantel by taking action for privacy breaches. The ACCC recently obtained a A$1.4 million civil penalty order against a heath-tech company for misleading and deceptive conducted relating to its handling of personal information and ASIC is currently pursuing a similar order against an Australian Financial Services Licence holder for failing to take adequate measures to protect information it held from a cyberattack.