elevenM’s Piotr Debowski breaks down a recent determination by the privacy regulator, and explores the link between data breaches and the impact they have on affected individuals.
As a privacy professional and consumer activist, I love seeing and reading new privacy determinations, especially where the ‘little guy’ wins in a matter that’s warranted.
Don’t get me wrong, there’s a plethora of determinations and judgments that exist where it’s clear that the matter is baseless or there should have been a win but wasn’t. But just for a change, it’s nice to see things go right, and last month the Office of the Australian Information Commissioner (OAIC) published a determination exemplifying just that: ADO and Telstra Corporation Limited (Privacy)  AICmr 47.
This determination comes at a time when Telstra has been heavily criticised for failing to stop sending letters to living relatives addressed to deceased family members.
Summary of the privacy determination
The synopsis of the case is as follows:
- In 2015, the complainant in the case added a partner of a relative (third party) as an authority over their account. There appears to be some dispute over the level of authority added, but the facts suggest the complainant only intended to give the third party authority in respect of a particular service that the third party was a user of.
- In 2018, the third party contracted with Telstra for another service under the complainant’s account based on the authority, and then changed the complainant’s address on the account. The third party then defaulted on the service.
- Telstra sent an overdue notice, but the complainant did not receive this notice. Months later, the complainant became aware of the debt when they prepared their credit file in order to obtain finance for a property.
At this point, you might be thinking: “Well, it’s the complainant’s fault for granting the third party authority over their account”.
The problem is that Telstra didn’t take reasonable steps to check whether the complainant’s authority was still accurate and up-to-date when the third party was contracting with them for the additional service. In fact, Telstra didn’t take any steps at all to check this out – despite the complainant having given this authority more than 34 months prior and, as outlined earlier, only for the single service that the third party was using, not the entire account (although that last point is not exactly in the determination).
The OAIC ended up ordering that Telstra pay the complainant: (i) the balance of the outstanding debt to remove it from their credit file, and (ii) $2000 for non-economic loss.
Fortunately, it appears the outstanding debt wasn’t ultimately a barrier to the complainant being able to finance their property, otherwise the impact could have been a whole lot worse.
Although this is a relatively insignificant determination compared to others where significantly worse harm has been experienced or the breach of privacy is more egregious, I have chosen to write about it because it exemplifies: (i) the inextricable link between a breach of privacy (irrespective of how inconsequential) and the emotional ramifications on an individual, and (ii) a pet peeve I have with the law regarding reimbursement.
The link between a breach of privacy and emotional ramifications for individuals
It’s promising to see the OAIC awarding compensation for mere emotional distress. As the Law Institute of Victoria highlighted nearly a decade ago, “harm caused by breaches of privacy is more likely to be harm such as embarrassment, humiliation, shame and guilt. Given the centrality of privacy to identity, these harms should not be seen as insignificant, even though they are not physical or financial.” This follows a line of OAIC determinations where compensation for non-economic harm has been awarded.
But not all jurisdictions have followed suit. To date there has been only one reported Victorian Civil and Administrative Tribunal (VCAT) judgment where the plaintiff was successful in obtaining compensation for non-economic harm. I have followed VCAT’s privacy judgments closely for some time, particularly during my time at Office of the Victorian Information Commissioner (OVIC). It isn’t clear to me whether this low number of successful compensation rulings for non-economic harm is because of a reluctance on VCAT’s behalf, a poor selection of cases without merit that don’t lend themselves to such an award, or because of the good work VCAT is doing in facilitating settlements before trial (these agreements are confidential and so we don’t know what compensation, if any, was agreed upon).
Regardless, it’s critical that decision makers, courts, and tribunals recognise the inextricable link between a breach of privacy and its emotional ramifications on an individual. Both the OAIC and OVIC appear to me to be leading the charge on this here in Australia. Last year, OVIC published a guide on the Assessing compensation claims for loss in privacy complaints that includes a detailed section on non-economic harm. The OAIC has also outlined some science on how to quantify non-economic damages in its WP and Secretary to the Department of Home Affairs determination (specifically see the table in Addendum A).
In this determination, I found personally compelling the complainant’s description of the intangible effects that a breach of privacy and attempting to resolve it can have, irrespective of how inconsequential you may think it is (my emphasis added below):
I have spent many hours, now over years, following up on this matter only to be told repeatedly of no wrongdoing. While recently trying to re-enter the housing market, there was a major amount of stress and anxiety present due to this situation while having to explain to the lender the situation which, in my view, should not have existed if the respondents [sic] systems included a duty of care for their customers’ personal information… These kinds of circumstances and events can form a trigger for individuals such as myself as you feel worthless and helpless in comparison to a large corporation such as the respondent. I have much anxiety while dealing with this situation, however I do feel strongly that it needs to be dealt with rather than just surrendering to their possible negligence.
What I’d like to see changed
There is one critique that I would raise against the ADO and Telstra Corporation determination. The critique is not so much the OAIC’s application of the law, but the law itself, being the outcome that the complainant was not entitled to any compensation for time spent dealing with the complaint.
The complainant spent years fighting Telstra on this issue. They then prepared an itemised list of the tasks they carried out and how long it took them and claimed only $600 in compensation for this.
The Privacy Act allows the Commissioner to reimburse complainants for ‘expenses’ reasonably incurred in connection with the making and investigation of a complaint. The Commissioner’s rational was that none of the items evidenced ‘any actual expenditure’.
I agree with the Commissioner’s application of the law. Bringing me back to my experiences practicing in tax, traditionally when we think about things being of an ‘expenditure’ nature, it includes outgoing money often to obtain evidence or legal advice. The Commissioner has followed this approach and awarded reimbursement in the past in determinations like KB and Veda Advantage Information Services (reimbursement for legal expenses) and LA and Department of Defence (reimbursement for medical evidence expenses).
Having said that, I think this is an area that warrants revisiting. If it takes a complainant a substantial amount of time to deal with a complaint, especially a relatively trivial complaint that could have been resolved quickly but has dragged on because of a respondent’s impudence, then why shouldn’t the complainant be compensated for the time they invested in attempting to right a wrong?
There are also broader regulatory and public policy considerations at play. Rational choice theory suggests that individuals who have been aggrieved will perform a cost-benefit analysis to determine whether pursuing a complaint is right for them. Granted not all individuals will approach the matter in the same way – some may be motivated purely to vindicate their rights. We all have a Grandpa Jack for who ‘it’s the principle of the matter.’
But assuming most people weigh up the pros and cons of pursuing a privacy complaint, then if the length of time and the amount of effort exceeds the compensation an individual is likely to get, many harmed people will simply choose not to pursue a complaint. This risks sending the message to industry that it’s okay to breach a person’s privacy, provided its not that egregious, because for most people it won’t be economical favourable to try and remediate.
If you’re interested in learning more about how elevenM can help your business, contact us at hello@elevenM.com.au or on 1300 003 922.