Big tech and business are warring with digital and civil rights groups over the need to introduce a right of direct action for data breaches as part of the sweeping review of Australia’s privacy laws.
The Attorney-General’s Department is conducting a sweeping review of the Privacy Act on the back of the Australian Competition and Consumer Commission’s (ACCC) digital platforms inquiry, which recommended a number of legislative changes.
A key issue the inquiry is looking at is whether a direct right for individuals to bring actions or class actions before the courts to seek compensation for breaches under the Privacy Act should be introduced.
Presently there is a very limited ability for Australians to seek redress for a privacy breach by a company subject to the Privacy Act, through an injunction or a complaint to the Office of the Australian Information Commissioner (OAIC).
In its final report, the ACCC called on the government to introduce a right of action in the Federal Court or Federal Circuit Court to seek compensatory damages and aggravated and exemplary damages for financial and non-financial harm as a result of an infringement of the Privacy Act.
“This would give consumers greater control over their personal information by providing an avenue of redress in court without having to rely on the OAIC alone to take representative action,” the ACCC said in its digital platforms report.
“This ability will not only empower consumers but may also provide an additional incentive for Australian Privacy Principles entities to ensure they comply with their obligations under the Privacy Act and the APPs.”
Instead of accepting this recommendation, the federal government opted to consult further on the direct right of action as part of the wider review of the Privacy Act.
A number of civil and digital rights groups and legal organisations offered strong support for this policy in submissions to the inquiry, while big tech firms and other large businesses unsurprisingly railed against it, instead arguing that the OAIC should be handed a more prominent role in enforcing the Privacy Act.
But the opposing side argued that the right of action would complement the OAIC’s enforcement role and is critical to ensuring the privacy of Australians is upheld.
In its submission, Australian tech giant Atlassian said a direct right of action is unnecessary and may “magnify rather than mitigate any concerns about the costs and time for individuals seeking resolutions through the complaints process”.
“It is difficult to see why the introduction of a direct right of action for individuals to seek compensation for breaches of the Privacy Act is necessary or, indeed, is the most appropriate way to meet these objectives,” the Atlassian submission said.
“We strongly believe that efforts are better redirected towards improving the efficiency and effectiveness of existing enforcement mechanisms, including by supporting the OAIC to increase its complaint-handling workload and considering other mechanisms to facilitate certainty and consistency of entities’ compliance obligations.”
US tech firm Adobe also argued against a direct right of action in its submission to the Australian inquiry, saying it would only benefit those who could afford to take legal action.
“The cost of undertaking litigation is very high, which means that providing a direct right of action will generally benefit only a very few Australians who have sufficient resources to take such action,” the Adobe submission said.
“Adobe submits that providing greater powers to the OAIC to assist in the resolution of privacy-related complaints is a more effective means by which to empower individuals to exercise control over their personal information.
“If the OAIC had enhanced powers and the necessary resources to conduct investigations, and provide adequate remedies, this would truly empower individuals who would be able to easily and quickly take action to address privacy harms.”
Tech titan Google also said that the OAIC’s dispute resolution is “preferable to creating a direct right of action”.
“If the government is considering introducing a direct right of action, we suggest that a precondition to any direct action is an attempt to resolve a dispute through conciliation by the OAIC or some other administrative body,” Google said in its submission.
Media giant Nine also argued against the ACCC’s recommendation.
“The main beneficiaries of having those claims in the courts instead of the OAIC will be lawyers, as many people will choose to be represented. Lawyers will have incentives to increase the quantum and frequency of claims,” the Nine submission said.
“Those individuals will fare better, and the system will fare better, if their concerns continue to be handled by the professional team which has done so effectively for nearly 20 years at the OAIC. That team should be well funded. It is much better for the current system to be supported than to disrupt it in the way proposed.”
While also strongly supportive of the OAIC receiving additional funding and resources, several other submissions argued that the direct right of action could work in tandem with the privacy office to uphold the rights of Australians.