Breach of Personal Information- Be aware of recent changes
In 2016, ride-sharing giant Uber settled a government investigation into its implementation and use of a system setting known as “God View”. God View was a system accessible by certain employees of Uber in which they could track any of the rides taken by individual users of the app. Concern arose amid allegations that employees were using God View to monitor the whereabouts and addresses of celebrities and other well-known figures.
In July 2015, the now infamous website “Ashley Madison” suffered a massive data breach at the hands of hackers. The website is designed to connect people looking to have extramarital affairs. The hackers contacted registered users of the website and threatened to publicly release their personal information unless varying amounts of money were paid. In the wake of the Ashley Madison data breach (and presumably with God View in mind), the Office of the Australian Information Commissioner (“OAIC”), launched a joint investigation with Canadian authorities.
This investigation reignited calls for a mandatory data breach notification scheme which eventually came in to force on 22 February 2018. The Privacy Amendment (Notifiable Data Breaches) Act 2017 (CTH) codified the requirement for companies with an annual revenue in excess of $3 million (as well as other entities) to notify potentially affected individuals of breaches or suspected breaches to their personal information. The scheme extends not only to data breaches as a result of hacking or lost data-retaining devices but also to misuse of personal information. This could likely encapsulate the conduct alleged regarding God View.
The punishment for a breach of the scheme is a civil penalty. For individuals, these amendments go part way to addressing a gap in Australian law relating to breach of privacy. Unlike our English and American counterparts, there is no defined cause of action for breach of privacy in Australia. While it may be some time before the new scheme is tested, once an individual is notified that a breach of their privacy has occurred they could presumably request that the OAIC declares that they are entitled to compensation under section 52 of the Privacy Act 1988 (CTH) and bring a subsequent court action. The scheme may also lead to an increase in undertakings entered into by offending companies such as the one currently in place with Singtel Optus. These undertakings very well may bolster any actions brought as a result of breaches of personal information.
If you are concerned with a possible breach of your personal information by an entity please contact Lynn & Brown Lawyers for advice.
About the authors:
Evan is a Perth lawyer at Lynn and Brown Lawyers, specialising in Litigation and general Commercial Law. Steven is a Perth lawyer and director, and has over 20 years’ experience in legal practice and practices in commercial law, dispute resolution and estate planning.