A PATH FORWARD: DATA BREACHES, CLASS ACTIONS, AND A DIRECT RIGHT OF ACTION UNDER THE PRIVACY ACT

I. Introduction

II. Class Actions and Regulatory Objectives

III. Challenges for Private Actions

IV. Conclusion

Bibliography

A. Articles/Books/Reports

B. Case Law

C. Legislation

D. Other Sources

1. Introduction

It is increasingly difficult to participate in the economy without disclosing personal information to entities online. Data is seen by entities as an asset, as the ‘new oil’,^[1] rather than a liability. While other countries have developed and recognised private actions for invasions of privacy and implemented regulatory reforms to reflect the new digital economy, Australia’s approach to invasions of privacy remains out-dated, albeit under extended review.^[2] 

The Australian approach is under particular scrutiny following the recent Optus breach, where millions were impacted when the telco’s security measures were breached by a malicious actor resulting in the disclosure of customers’ personal information.^[3] The relevant Minister labelled the infiltration “quite a basic hack” and that Optus “effectively left the window open for data of this nature to be stolen.”^[4] While the AFP investigates the criminal aspects of the breach,^[5] two regulators are investigating Optus,^[6] and several firms are considering class actions against the telco.^[7] While the regulatory field is crowded, for those who suffer from a data breach there is a dearth of clear actions available. The Optus breach may be the test case for the recognition of a long-awaited cause of action at common law or in equity or herald the introduction of the long-called for statutory action.

This paper will set out how class actions not only serve to compensate victims, but also serve as an important driver of the regulatory objective of deterrence. Class actions are a missing link in the privacy regulation regime. A sample of potential approaches that may be introduced in Australia will be assessed against their effectiveness in creating deterrence other practical considerations.

This paper will conclude that the combination of strengthened regulatory actions and a private cause of action to enable data breach class actions in Australia will best meet the objective of better-behaved entities. A direct right of action within the Privacy Act 1988 (Cth) can work alongside the development of equitable remedies or recognition of a common law action where the Privacy Act does not apply. The development of a direct right of action and judge-made law should become part of the Australian framework to support recently announced^[8] proposed increases in civil penalties that OAIC may seek for serious or repeated invasions of privacy.

Eliminating all breaches through perfect security is neither technologically nor economically feasible,^[9] however implementing a legal framework that promotes cyber resilience and security and deters misuse of personal information by large entities is an urgent agenda. Privacy, like knowledge, is ultimately about power in the digital era.^[10] It may not feel like a loss when given up, but power is purchased over you. Regulation should be designed towards correcting the power imbalance of the individual and the data-holding entities they must deal with day-to-day.

2. Class Actions and Regulatory Objectives

1. Deterrence

Analysis of appropriate penalties in civil penalty proceedings draws from criminal law, however, the purpose of a civil penalty is entirely protective and focused upon the future, aimed at promoting compliance through general and specific deterrence.^[11] 

As such, the focus of regulators like ACCC^[12]  and ASIC^[13] is to penalise entities for breaches of law, not operate to compensate victims for their losses. The OAIC, who considers a more enforcement-focused approach is appropriate to achieve the regulatory objectives of deterrence and rectification^[14] must do so with a fraction of the resources.^[15] Since introduction in in 2014, the only instance^[16] in which the Privacy Commissioner has sought to impose civil penalties is in the ongoing matter against Facebook.^[17] 

It may be generally accepted that, in addition to compensating victims, class actions play a role in deterrence against future breaches.^[18] ASIC has noted that private action allows ‘ASIC to allocate its regulatory resource to other priorities’.^[19] 

While the Privacy Act^[20] allows representative complaints to be brought,^[21] the Commissioner can only hear Privacy Act breaches: other rights of individuals are not within its jurisdiction.^[22] Data breaches can involve claims in negligence,^[23] contract, tort and other statutory obligations, like consumer law breaches.^[24] As such, this approach splits out privacy complaints from other viable actions, increasing complexity for victims.

Class actions can evidently provide specific deterrence, as settlements often include orders requiring the defendant to change their behaviour.^[25] On general deterrence, private enforcement has been recognised by American scholars as a key requirement to ensure that substantive laws are enforced and to achieve deterrence.^[26] Indeed, general deterrence may be a goal of class action members themselves.^[27]

2. Private Actions in Privacy

Victims of data breaches have at their disposal a sparse patchwork of general law^[28] and statutory provisions^[29] that protect specific aspects of their privacy. Despite the crowded field,^[30] the complexity of regulation and patchwork coverage can leave the regulated population bewildered and ill-informed. ^[31]  The courts have not yet developed a suitable cause of action in general law.^[32] 

The vast majority of complaints to the Commissioner for ‘interference with the privacy of an individual’^[33] are resolved through conciliation.^[34] While conciliations are a fast and cheap process compared to court actions, the lack of enforceability of conciliations and the uncertainty in law arising from private conciliations reduce the deterrent effect on entities who neglect privacy security.^[35]

Australia is said to have one of the more liberal class action regimes^[36] which was introduced alongside the strict liability regime for product liability claims.^[37] It is a suitable vehicle for incentivising entities to meet their privacy obligations. As argued by Rivette, it is perhaps only through the “emergence of class actions that business will put a greater price on the protection of the personal, private or confidential information that is held, and if so, the result may be that the human rights of Australian citizen[s] will be finally afforded the protection contemplated in international law.”^[38]

3. Challenges for Private Actions

Proposed approaches that may facilitate class actions bringing claims in privacy interference, including statutory and judge-made pathways, are explored in the ongoing Privacy Act Review^[39] and other inquiries.^[40] The ALRC has proposed a statutory tort model,^[41] and the ACCC,^[42] supported by the OAIC,^[43] has proposed a direct right of action in the form of a statutory action to able to be brought by individuals against entities under the Privacy Act in the Federal Court.^[44] 

Following the UK’s development of a tort of misuse of private information through the equitable claim of breach of confidence,^[45] the High Court has contemplated the accommodation of breach of confidence in cases of privacy invasion.^[46] Alternatively, following New Zealand, Australian courts could consider recognising a common law tort for invasions of privacy.^[47] A further model, put forward by Alicia Solow-Niederman in the US context, to reinvigorate a tort of breach of confidence with strict liability application^[48] has received US court application.^[49] A clear pathway forward for must overcome specific challenges in bringing actions for privacy invasions, including data breaches.

3. Harm and Barriers to Claims

Because of the difficulties in assessing harm, and the objective of deterrence in class actions, an action should be available that does not require harm to be a requisite element to establish a claim.

Compensation or damages can be clearly quantified where a passport needs to be replaced. It is more difficult to quantify the effect of a data breach disclosing a compromising photo,^[50] or disclosure of a planned wedding proposal arising from misuse of personal information for advertising purposes.^[51] Invasions of privacy may give rise to distress of the victim that may not amount to physical or diagnosed psychiatric injury and data breaches often put victims in a state of vigilance that their identity could be stolen at any point in the future.^[52] Harm may not even be realised until well after the event.

However, quantifying such kinds of non-economic loss is difficult. The ALRC tort requires a claim relate to serious breaches.^[53] However, the Australian Privacy Foundation submitted that, as it is modelled as an intentional tort, damages should be presumed.^[54] Dr Gilgorijevic, in submission to the Privacy Act Review, considered a minimalist statutory recognition of a tort with no element of harm required. The approach activates the courts to provide remedies in appropriate cases, rather than setting out substantive boundaries of the protected interest, arguing the ‘reasonable expectation of privacy’ sufficiently prevents trivial claims.^[55] 

In the NZ common law tort, there must be ‘public disclosure of private facts and the disclosure must be one which would be highly offensive and objectionable to a reasonable person of ordinary sensibility.’^[56] Matters successful in claims based on a breach of confidence in the UK, such as a photograph taken on a public street,^[57] may not be successful in a common law tort.^[58]

In the NSW case of Evans, it was noted that it may not even be possible to establish harm for purely non-economic loss on grounds of breach of confidence.^[59] On the other hand, in Victoria, the court held in Giller v Procopets^[60] that the claimant could recover compensation for emotional distress as equitable compensation in a successful claim for breach of confidence. As such, equity may better accommodate victims of data breaches than common law. ^[61] 

While a seriousness harm element may curtail frivolous claims, the difficulty of establishing harm – let alone some metric of seriousness as with the ALRC statutory tort – would delay and frustrate legitimate claims. In particular, including a threshold of harm as an element of the action would create complexities for class actions, where some individuals may suffer actionable loss – like psychiatric illness or identity fraud – and others only distress from the same data breach.

Solow-Neiderman’s approach suggests that harm begins the moment the data holder fails to secure consumer personal information,^[62] and that damages need not be an element of a prima facie case, only to be assessed separately on the action being established.^[63] Similarly, in respect of a direct action under the Privacy Act, the OAIC and other submissions to the Discussion Paper advocated to exclude seriousness as an element. ^[64] 

4. Remedies in Direct Action

In considering remedies, the courts need flexibility to account for the nuances of harm suffered in each case.

Failures in an entity responding to a data breach, either in speed or quality of response, can cause further harm. As reflected in the direct right of action proposed in the Discussion Paper, any action introduced by statute should allow for injunctive relief where damages are insufficient to address the harm. Currently, where the complaints process is available under the Privacy Act and has not been exhausted, the Federal Court^[65] has expressed reluctance to exercise the existing injunctive relief.^[66] 

For a direct right of action suggested by the ACCC, the Federal Court would be able to order any equitable relief it thinks necessary, in addition to damages and aggravated and exemplary damages for economic and non-economic loss.^[67]

In Evans, a rare example of class action settlement approval relating to a breach of privacy, the court followed the existing regulatory practices in assessing compensation. As part of the multi-faceted consideration presented by the plaintiff’s Counsel, the court considered awards in factually comparable OAIC determinations as a guide and state privacy law decisions made at NCAT.^[68] The court agreed that each group member receive around $2,400 and the lead plaintiff $10,000.

While this may seem paltry to some harmed victims, in the case of class actions, it can be a significant deterrent for entities. The harm suffered was clearly more significant in the case of the Optus breach than the Evans matter because – for 10,000 Optus customers at least^[69] – the information was released to world at large by a third party.^[70] If just those individuals were awarded the compensation provided to members in Evans, Optus would be required to pay $24 million.  

5. Relationship between parties

The ALRC model is only actionable where a reasonable expectation of privacy could be held by the plaintiff. Solow-Neiderman’s model requires no contractual relationship or otherwise, the fiduciary-like relationship is established by the entity being the data holder of the plaintiff. This may give rise to an indeterminate liability to an indeterminate class.

A breach of confidence claim requires a duty of confidence exists between the parties, but equity ‘may impose obligations of confidentiality even though there is no imparting of information in circumstances of trust and confidence’.^[71]  In many cases of data breaches, victim customers have reasonable grounds to expect that the entity received their personal information in confidence.^[72] The limited extension of remedies available in equity for breaches of confidence under the Privacy Act to enable actions against third parties could assist in expanding class actions against government agencies or officials.^[73]

The obligations of entities under the Privacy Act and the simple elements of interference^[74] might be seen as analogous to establishing a duty^[75] of the entity to a determinate class – those whose personal information the entity holds – not to breach the Australian Privacy Principles.

6. Fault Element

1. Intention

Intentional common law torts^[76] are generally actionable per se, and the award of damages may be given simply because the tort occurred.^[77] But for obvious reasons, for data breaches like Optus’, a failure to securely store customer data is unlikely to be intentionally done.^[78] In a claim for tort of misuse of private information in the UK, was struck out on the basis that the harm was resulting from a third-party malicious actor, not the defendant who acted in a way that directly amounted to the misuse.^[79] 

Similarly, the ALRC statutory tort model, limited to intentional and reckless acts, has also been criticised as being too narrow.^[80] The ALRC model would not recognise an action where an entity has been merely negligent. As such, liability may not arise where entities, unintentionally and without reckless disregard, fail to take adequate measures to protect personal information from data breaches. Nevertheless, given the scope of respondents, the tort may at the same time have unintended reach, like actions brought against news outlets for ‘recklessly’ reporting on urgent news, impacting competing public interests.^[81]

2. Strict Liability

The ALRC has argued that a privacy tort should not be one of strict liability as that would be overly burdensome, broad and inconsistent with ‘modern trends in tort law’ that have rather favoured fault-based liability.^[82] They argue that strict liability provisions ‘are directed at pecuniary loss or material damage in particular contexts, such as consumer protection or product liability, unlike claims for invasion of privacy which will arise in a wide variety of contexts and generally involve dignitary or intangible interests.’ ^[83]

However, this argument does not give weight to the emergence of ‘markets based on the dispossession of human experience as a means to the prediction and control of human behavior for others’ profit.’^[84] Where personal information is treated as a product or an asset by certain entities, product liability law may be more analogous to privacy actions than it first appears. Similar to the Australian Consumer Law^[85] and Credit Licensee obligations,^[86] the APPs require a particular norm of conduct when handling personal information.

As argued by Solow-Niederman, the strict liability burden on the defendant is appropriate where plaintiffs can do little to prevent or mitigate the resulting harm. It puts the onus on the better resourced defendant to prevent such harm, as it would be rare that a plaintiff would have the access and resources to identify security failures before a data breach occurs.^[87] 

The equitable jurisdiction of a breach of confidence has the benefit of flexibility. Lerch and Whittaker suggest that, in a company data breach case, the sensitivity of the information and the presumption of confidence may give risk to strict liability, if the information stored in a way that allowed infiltration.^[88] Australian courts may look to developments in US tort law in this respect.^[89] 

3. Balanced Approach

State Law Reform Commissioners have proposed similar proposals to the ALRC statutory tort for civil redress. However, NSWLRC also introduced the grounds of negligence for governments and corporations.^[90] In matters of data breaches caused by malicious actors, a broader scope of the action is required, as in most instances there is never an intention, and recklessness is a high bar for security standards. In contrast, a court considering a direct right of action claim for a data breach would likely consider a reasonable steps test.^[91] Strict liability may appropriate for data breaches caused by APP entities. A plaintiff can claim a breach of APP 11 interfering with privacy where they establish that the company’s conduct has failed to meet ‘well-instantiated security guideline or otherwise fallen below an established security standard.’^[92]

The direct right of action under the Privacy Act is limited in application to government agencies and well-resourced corporations.^[93] Further, the AGD suggest the claimant would need to make a complaint to the OAIC first before seeking leave of the court to make the application.^[94] This more burdensome avenue to justice – that seeks to mitigate frivolous or vexatious claims – takes the place of a fault element like intention. This is the case with the current complaints process where the Commissioner can consider negligent and accidental acts that cause data breaches in addition to intentional or reckless acts.

7. Public Interest Defence

Privacy regulation often conflicts with other public interests like security and innovation,^[95] and the constitutionally recognised freedom of political communication.^[96] As per Gageler J in Farm Transparency, it is clear that ‘that any development would need itself to follow a path consistent with the constitutional guarantee of freedom of political communication.’^[97] In the ALRC model, the court must be satisfied that the public interest in privacy outweighs any countervailing public interest.

If a direct right of action was introduced, the Privacy Act specifically excludes from its application specific activities such as journalism^[98] and political acts.^[99] This goes some way to rebutting claims by media opposition to the expansion of privacy claim rights on the grounds that it would have a chilling effect on freedom of expression. As applied in Farm Transparency to the NSW Surveillance Devices Act, the courts will likely balance the legitimate purpose of the Privacy Act to protect privacy against the burden imposed on political communication.^[100]

8. Access to justice

The cost of class action litigation has been criticised as costly, with individual group members receiving modest returns after transaction costs. Further, the motivations of litigation funders and firms alike mean actions will only be launched when economically viable, which denies access to remedy in many circumstances.^[101]  Costs and delay are added in data breach class actions where highly technical questions of cyber security standards must be assessed, which requires the technical expertise of a relevantly skilled expert^[102] or amicus curiae.^[103] If a voluntary Regulatory Redress Scheme was provided as a means of direct action within the Privacy Act, this would enable victims to participate in Corporation’s schemes or take alternative action.^[104] 

Alternatively, or in addition, if the Commissioner had equivalent public interest action powers of ASIC under s 50 of the ASIC Act^[105] this may curtail the evidentiary and economic bars present in class action litigation. This is in part because of ASIC’s compulsory information gathering powers and that litigation funders are not required.^[106] Through changes proposed in the Privacy Act Review, the OAIC may strengthen information gathering powers and resources to support victims in their claims.^[107] 

4. Conclusion

When these options are viewed against the difficulties in establishing a claim, and their efficacy in addressing and deterring cyber security and data breaches and mismanagement, it may be argued that a direct right of action within the Privacy Act would best supplement the announced increases in civil penalties and, at the same time, would not obstruct the path of a court-made action.

The direct right of action would provide class members of aggrieved individuals^[108] the ability to litigate a claim for a breach of their privacy under the Privacy Act. It would reduce resource pressures on the OAIC and incentivise entities to comply with their obligations under the Act. It also encourages the courts to develop clear law around the principles-based Act, making it easier for entities to identify and apply the expected standards.

This Privacy Act case law might support the emergence of a court-made action, to be applied where the Privacy Act does not. The Privacy Act does not apply to spatial or physical privacy interference, acts of political parties,^[109] or where the defendant is an individual in a non-business capacity. The Act focuses on the obligations of the data holders, not the individual dignity, autonomy and liberty of the individual from unreasonable and unwanted observation, tracking and access.^[110] Whereas in breaches of confidence, as per the recent dissenting views of Edelman J in Farm Transparency, personal information may be protected not just where it is secret, but also ‘where further disclosure would compromise foundation interests of human dignity and autonomy’.^[111] The equitable action could be expanded to deal with data breaches involving the disclosure of sensitive information like health records.^[112] Lerch and Whittaker note that the equitable jurisdiction would allow courts to hold entities ‘to a higher standard of liability where they store confidential information to their benefit and on the basis that it will be kept secure.’^[113] 

The development of privacy in the UK is set in the context of the UK GDPR, which provides a general right to a judicial remedy including non-material damages for invasions of privacy.^[114] This provides a direct right of action outside of the remedies for breaches of confidence or tort of misuse of private information, and the actions can be brought together.^[115] Australia does not currently have this context of a direct right of action to supplement any development in general law.

The High Court has provided that international law “provides an important influence on the development of Australian common law, particularly in relation to human rights.”^[116] Still, an Australian action might not develop with the same rapidity without being spurred, as the UK was,^[117] by human rights legislation.^[118] While there is ample space for the development of breach of confidence, or an emergent tort, a direct right of action may be a faster solution to many victims, and encourage entities to immediately improve their security and handling of personal information.

In the case of the Optus breach, the class members may consider advancing a claim for invasion of privacy on the grounds that Optus’ practices breached APP 11 in relation to personal information about the class members.^[119] APP 11 requires that Optus take reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure. As pointed out by Solow-Neiderman in her model, the precise security standards to meet these reasonable steps would need to emerge over time through specific cases.^[120]

One of the objections to the Optus breach was that there was not enough information provided to the affected individuals to allow them to take measures to protect themselves from harm.^[121] The individuals may be able to seek orders to enforce their right to access personal information held by Optus that may be at risk. They could also explore seeking an injunction^[122] compelling Optus to respond to the data breach in accordance with their obligations under the Act,^[123] which could be sought without first making a complaint to the Commissioner.^[124] Further creative solutions may be drawn out of direct action cases, for example, an action akin to the GDPR right to erasure might be drawn out of enforcing the obligation to destroy personal information no longer required under APP 11.

We are in the primeval stages of recognising the importance of privacy, and the powerful entities handling personal information are only set to get stronger with the growing capabilities of AI.^[125] A direct right of action under the Privacy Act would be an immediately available and broadly supported change,^[126] A change is increasing in urgency with a Woolworths subsidiary,^[127] EnergyAustralia,^[128] and Medibank^[129] experiencing attacks since the Optus breach. A direct right of action avoids many of the risks a statutory tort presents and directly addresses security failures of large corporations and government agencies. Some have expressed reluctance to create a statutory cause of action when privacy protection could be left to the incremental development of the common law.^[130] The ‘development and adoption of recognised forms of action to meet new situations and circumstances’^[131] like extending breach of confidence, might be preferred to developing a separate action because of substantial definitional problems with privacy,^[132] and difficulties establishing harm and fault. Whichever way it is done, where such nuance is required, judge-made law should be allowed to fill in the gaps left by a direct action under the Privacy Act.

Bibliography

9. Articles/Books/Reports

• Attorney-General’s Department, Privacy Act Review Discussion Paper, (October 2021)

• Submission to the Discussion Paper: Dr Jelena Gligorijevic
• Submission to the Discussion Paper: Office of the Australian Information Commissioner

• Attorney-General’s Department, Privacy Act Review Issues Paper, (October 2020)

• Submission to the Issues Paper: Office of the Australian Information Commissioner
• Submission to the Issues Paper: Dr Jelena Gligorijevic
• Submission to the Issues Paper: Law Council of Australia
• Submission to the Issues Paper: Public Interest Advocacy Centre

• Australian Competition and Consumer Commissioner, Digital Platforms Inquiry Final Report (June, 2019), 472.
• Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, Report 108 (2008), pp 2555-2556
• Australian Law Reform Commission, Integrity, Fairness and Efficiency—An Inquiry into Class Action Proceedings and Third-Party Litigation Funders, (December 2018), para 9.28
• Australian Law Reform Commission, Serious Invasions of Privacy in the Digital Era, Report No 123 (2014).
• Australian Privacy Foundation, Submission 110 to Australian Law Reform Commission, Serious Invasions of Privacy in the Digital Era, Report No 123 (2014).
• Bloch, V, Kerrigan, C & Campbell, J 2022, ‘Federal court finds cyber risk management is a critical obligation for financial services firms’, Governance Directions, vol. 74, no. 6, pp. 572–578, viewed 10 September 2022, <https://discovery.ebsco.com/linkprocessor/plink?id=297abc89-58af-3317-8fca-9e9bcfa94df6>.
• Christie, Alec, Sian Pannach and Michael Zacharatos, 'The good, the bad and the ugly: top 10 privacy and cyber issues and trends for 2022 and 2023' (2022) 19(1) Privacy Law Bulletin 8.
• Clark, S. Stuart, Harris, Christina, ‘The Past, Present and Future of Product Liability and Other Mass Tort Class Actions in Australia’ 2009, page 1025-6
• Clarke, Helen, Jennifer Dean, Benjamin O’Mara and Jessica Bi, ‘Seller beware: data governance, ACCC enforcement action and privacy reforms — lessons from a consumer law perspective’  (2022) 19(3) Privacy Law Bulletin 42
• Dennis D. Hirsch, The Glass House Effect: Big Data, the New Oil, and the Power of Analogy, 66 MAINE L. REV. 373 (2014).
• Edelman, James and Simone Degeling, ‘The Future of the Common Law of Torts’ (2010) 33(1) Australian Bar Review 45, page 47
• Fitzpatrick , Brian T., ‘Do Class Actions Deter Wrongdoing? The Class Action Effect’ (Catherine Piché, ed., Éditions Yvon Blais, Montreal, 2018) Vanderbilt Law Research Paper No. 17-40
• Glover, J. Maria, ‘The Structural Role of Private Enforcement Mechanisms in Public Law’, 53 Wm. & Mary L. Rev. 1137 (2012), via <https://scholarship.law.wm.edu/wmlr/vol53/iss4/3>
• Johnson, Neville L. et al., 'Defamation and Invasion of Privacy in the Internet Age' (2019) 25(1) Southwestern Journal of International Law 9.
• Komamura, Keigo, Privacy’s Past: The Ancient Concept and Its Implications for the Current Law of Privacy, 96 Washing University Law Review, 1337 (2019).
• Lerch, Aiden and Sophie Whittaker. “More valuable than oil: The application of tort law and equity to data cases breach” (2019) 27 Tort L Rev 100
• Lerch, Aiden, "The Judicial Law-Making Function and a Tort of Invasion of Personal Privacy" (2021) 43(2) Sydney Law Review 133
• McDonald, Barbara, ‘A statutory action for breach of privacy: Would it make a (beneficial) difference?’ (2013) 36 Australian Bar Review
• Middleton, T, ‘ASIC and private litigants: enforcement of statutory and fiduciary duties of directors, financial advisers and corporate trustees’ (2022) 39(3) Company and Securities Law Journal 171-193
• Murphy, Bernard and Camille Cameron, ‘Access to Justice and the Evolution of Class Action Litigation’, Vol 30 Melbourne University Law Review
• New South Wales Law Reform Commission, Invasion of Privacy, Report No 120 (2009).
• Office of the Australian Information Commissioner, ‘Australian Community Attitudes to Privacy Survey 2020’ (September 2020)
• Office of the Australian Information Commissioner, Annual Report 2020-21 (Oct 2021)
• Phillipson, Gavin, ‘Transforming Breach of Confidence? Towards a Common Law Right of Privacy under the Human Rights Act’ (2003) 66 Modern Law Review 726.
• Prosser and Keeton on the Law of Torts, 5th ed (1984), pp 850-85.
• Richards, Neil and Woodrow Hartzog, Taking Trust Seriously in Privacy Law, 19 Stanford Technology Law Review. 431, (2016), at 434
• Richards, Neil M. (Spring, 2011). ‘Information Privacy: The Limits Of Tort Privacy’, Colorado Technology Law Journal, 9, 357.
• Richards, Neil, Why Privacy Matters (New York, 2022; online edn, Oxford Academic, 18 Nov. 2021), https://doi.org/10.1093/oso/9780190939045.003.0008
• Rivette, Michael ‘Privacy Class Actions’ (2020) 94 Australian Law Journal 791, page 802
• Rivette, Michael, 'Litigating privacy cases in the wake of Giller v Procopets' — (2010) 15 Media & Arts Law Review 283, page 289.
• Serious Invasions of Privacy in the Digital Era, Australian Law Reform Commission, n 2, [7.66].
• Solow-Niederman, Alicia, ‘Beyond the Privacy Torts: Reinvigorating a Common Law Approach for Data Breaches’ Yale Law Journal Vol 127 11 JAN 2018
• Tidmarsh, Jay, Class Actions: Five Principles to Promote Fairness and Efficiency, LexisNexis, 2013, §1 03
• Witzleb. Normann, ‘Another Push for an Australian Privacy Tort: Context, Evaluation and Prospects’ (2020) 94 ALJ 765 Australian Law Journal, p 773
• Zuboff, Shoshana, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power, (2017), Profile Books Ltd, page 482.

10. Case Law

• ASIC v RI Advice Group Pty Ltd [2022] FCA 496
• Austen v Civil Aviation Authority (1994) 50 FCR 272 at p 278
• Australian Broadcasting Corp v Lenah Game Meats Ltd (2001) 208 CLR 199
• Australian Building and Construction Commissioner v Construction, Forestry, Maritime, Mining and Energy Union (The Botany Cranes Case) (No 4) [2021] FCA 525
• Australian Building and Construction Commissioner v Pattinson [2022] HCA 13
• Australian Competition and Consumer Commission (ACCC) v Google LLC (No 2) [2021] FCA 367
• Australian Competition and Consumer Commission v Thermomix in Australia Pty Limited [2018] FCA 556
• Australian Information Commission v Facebook Inc [2020] FCA 531
• Bradley v Wingnut Films Ltd [1993] 1 NZLR 415
• C v Holland [2012] 3 NZLR 672
• Hosking v Runting [2005] 1 NZLR 1.
• Breen v Williams (1996) 186 CLR 71 At 128
• Campbell v Mirror Group Newspapers Ltd [2004] 2 AC 457
• Catt v the United Kingdom [2019] European Court of Human Rights Application No 43514/15, (24 January 2019)
• Commissioner initiated investigation into Clearview AI, Inc. (Privacy) [2021] AICmr 54 (14 October 2021)
• Commissioner Initiated Investigation into the Australian Federal Police (Privacy) [2021] AICmr 74 (26 November 2021)
• Commonwealth of Australia v Director, Fair Work Building Industry Inspectorate (2015) 258 CLR 482
• Doe v Australian Broadcasting Corp [2007] VCC 281
• Douglas v Hello! Ltd [2006] QB 125
• Environment Protection Authority v Caltex Refining Co Pty Ltd (1993) 118 ALR 392
• Evans v Health Administration Corporation [2019] NSWSC 1781
• Farm Transparency International Ltd v New South Wales (2022) 403 ALR 1
• Financial Rights Legal Centre Inc. & Others and Veda Advantage Information Services and Solutions Ltd [2016] AICmr 88 (9 December 2016),
• Giller v Procopets [2008] VSCA 236; 24 VR 1
• Knowles v Secretary, Dept of Defence [2020] FCA 1328
• Morris v Beardmore [1981] AC 446
• P v D [2000] 2 NZLR 591
• Prince Alfred College Incorporated v ADC [2016] HCA 37
• Seven Network (Operations) Ltd v Media Entertainment and Arts Alliance (2004) 148 FCR 145
• Smethurst v Commissioner of Police (Cth) (2020) 94 ALJR 502
• Warren v DSG Retail Ltd [2021] EWHC 2168 (QB)

1. Legislation

• Budget Paper No. 4. Agency Resourcing, Australian Government Budget 2021-22  (Cth)
• Charter of Human Rights and Responsibilities Act 2006 (Vic)
• Competition and Consumer Act 2010 (Cth)
• Corporations Act 2001 (Cth)
• Crimes Act 1900 (NSW)
• Data Protection Act 1988 (UK)
• Federal Court of Australia Act 1976 (Cth),
• Human Rights Act 1998 (UK)
• Human Rights Act 2019 (Qld)
• National Consumer Credit Protection Act 2009 (Cth)
• Privacy Act 1988 (Cth)
• Privacy and Data Protection Act 2014 (Vic)
• Regulatory Powers (Standard Provisions) Act 2014 (Cth)
• Spam Act 2003 (Cth)
• Superannuation Industry (Supervision) Act 1993 (Cth)
• Surveillance Devices Act 1999 (Vic)
• Trade Practices Act 1974 (Cth),

2. Other Sources

• AAP, Woolworths says 2.2 million MyDeal customers’ details exposed in data breach' 15 October 2022, via https://www.theguardian.com/australia-news/2022/oct/15/woolworths-says-22-million-mydeal-customers-details-exposed-in-data-breach
• Atherton, Mirella and Eliezer Sanchez-Lasaballett, ‘A class action against Optus could easily be Australia’s biggest: here’s what is involved’, October 5, 2022 The Conversation via <https://theconversation.com/a-class-action-against-optus-could-easily-be-australias-biggest-heres-what-is-involved-191515>
• Australian Securities and Investments Commission, INFO 151 ASIC’s approach to enforcement (November 2021)
• Emilia Terzon, 'Medibank reveals customer data breach much wider than originally thought' 25 October 2022, ABC News via https://www.abc.net.au/news/2022-10-25/medibank-breach-wider-than-estimated/101572904
• Hanson, Fergus, 'Time to admit we’re failing on cybercrime', Australian Strategic Policy Institute - The Strategist, 1 February 2018 via <https://www.aspistrategist.org.au/time-admit-failing-cybercrime/>
• Jalal, Widia, ‘Anna was ready to buy her first home - but then her details were leaked in the Optus data breach and everything changed’, ABC News, https://www.abc.net.au/news/2022-10-05/optus-data-breach-affected-cyber-security-risks-credit-check-ban/101496666
• Kaye, Byron, ‘Two Australian regulators open investigations into Optus after data breach Reuters 11 October 2022 https://www.reuters.com/technology/two-australian-regulators-open-investigations-into-optus-after-data-breach-2022-10-11/
• Lapowsky, Issie, ‘We'd All Benefit if Celebs Sue Apple Over the Photo Hack’, 4 September 2014, Wired, via < https://www.wired.com/2014/09/law-apple-photo-hack/>
• Lim, Cheng Jim Boynton, Kirsten Bowe, Luke Hawthorne and Jonathan Le, ‘An Australian First: Federal Court Decision Heralds New Era of Cybersecurity Regulatory Action’, 12 May 2022, King & Wood Mallesons via < https://www.kwm.com/au/en/insights/latest-thinking/new-era-of-cybersecurity-regulatory-action.html>
• May, Natasha and Josh Taylor. ‘Purported Optus hacker releases 10,000 records including email addresses from defence and prime minister’s office’ 27 September 2022, The Guardian Australia via < https://www.theguardian.com/business/2022/sep/27/police-all-over-dark-web-ransom-threat-to-release-10000-customer-records-a-day-optus-ceo-says>
• Mealy, Erica, ‘How political parties legally harvest your data and use it to bombard you with election spam’, 30 October 2020, The Conversation via <https://theconversation.com/how-political-parties-legally-harvest-your-data-and-use-it-to-bombard-you-with-election-spam-148803>
• Media Announcement, Slater and Gordon, 12 May 2016, https://www.slatergordon.com.au/media/law-firm-backs-calls-for-thermomix-investigation
• Rachwan, Mostafa, 'EnergyAustralia latest to be hit by cyber-attack as details of hundreds of customers exposed' 21 October 2022, The Guardian, https://www.theguardian.com/australia-news/2022/oct/21/energyaustralia-latest-to-be-hit-by-cyber-attack-as-details-of-hundreds-of-customers-exposed
• Remeikis, Amy and Paul Karp, Australian companies to face fines of $50m for data breaches , The Guardian Australia, 22 October 2022 via <,https://www.theguardian.com/australia-news/2022/oct/22/australian-companies-to-face-fines-of-50m-for-data-breaches>
• Shepherd, Tony, ‘The biggest hack in history: Australians scramble to change passports and driver licences after Optus telco data debacle’ The Guardian Australia, 1 October 2022 via < https://www.theguardian.com/business/2022/oct/01/optus-data-hack-australians-scramble-to-change-passports-and-driver-licences-after-telco-data-debacle>
• Smith, Gavin, and David Rountree ‘OAIC's landmark case against Facebook to have major implications on Privacy Act’ 12 May 2020 via <https://www.allens.com.au/insights-news/insights/2020/05/oaic-landmark-case-facebook/>
• Toonders, Joris, Data Is the New Oil of the Digital Economy, Wired, July 2014, via <https://www.wired.com/insights/2014/07/data-new-oil-digital-economy/>
• Vanian, Jonathan, Why Data Is the New Oil, Fortune, 11 July 2016, via <http://fortune.com/2016/07/11/data-oil-brainstorm-tech/>
• Woods, Cat, ‘Optus data breach a catalyst for Privacy Act reform’ 28 September 2022, Law Society Journal (NSW) via <https://lsj.com.au/articles/optus-data-breach-a-catalyst-for-privacy-act-reform/>.
• Wootton, Hannah, ‘‘Teach Optus a lesson’: class actions over cyber hack grow’ Australian Financial Review, 28 Sep 2022, https://www.afr.com/companies/telecommunications/teach-optus-a-lesson-class-actions-over-cyber-hack-grow-20220928-p5blkn