A number of key trends emerged over the past year (or were foreshadowed for the year ahead) in the commercial disputes space which will have significant implications for businesses operating in Australia in terms of increasing the risk of both consumer and regulatory litigation and the potential for higher penalties in areas such as privacy and competition.
Before the first quarter closes on FY 23-24, set out below are some of the key trends and regulatory developments our team has observed in the data, privacy, greenwashing, IP, defamation, unfair contract terms, arbitration, administrative review spaces for FY22-23.
In addition to the below, looking forward, we expect that the following trends (which we are closely monitoring) will shape the commercial disputes landscape in FY23-24:
the commencement of the National Anti-Corruption Commission from 1 July 2023. Our article regarding this can be found here;
if implemented, the proposed reforms to the Privacy Act 1988 (Cth) (Privacy Act), including the introduction of a statutory tort for serious invasions of privacy or the direct right of action for interferences with privacy. Our article regarding this can be found here;
if implemented, the proposed reforms to the provisions of the Corporations Act 2001 (Cth) regulating federal litigation funding schemes; and
the possibility of judicial consideration of the new public interest defence under the uniform Defamation Acts if several cases before the courts where that defence has been pleaded by mass media do not settle.
Data/Privacy
Class Actions
Prior to FY22-23, only one data privacy class action had been commenced in Australia (which settled before being considered by the courts). Since that update, the landscape (and accordingly, the risk for businesses who experience a data breach) has changed significantly, with:
three consumer-class actions having been commenced against Medibank and Optus in the Federal Court (with a further foreshadowed in respect of the Latitude Financial Services data breach);
a consumer action having been filed by a self-represented litigant for compensation in respect of the Latitude Financial Services data breach;
two shareholder class actions commenced against Medibank in the Victorian Supreme Court; and
representative complaints regarding each of the above data breaches being investigated by the Office of the Australian Information Commissioner (OAIC) in tandem.
Each of the class actions above raise novel issues, for example, the application of common law causes of action such as negligence in a data breach context and the interpretation of various provisions of Australian data privacy legislation which have not, to date, been tested in the Courts (for example APP 11 of the Privacy Act). If successful, such cases may also open the floodgates for further class actions in this space. Any such claims (and corresponding risk to business) may be further bolstered by the introduction of a statutory tort for serious invasions of privacy or direct right of action for interferences with privacy, which are proposed to be introduced as part of the wide-ranging reforms to the Privacy Act (see our article here).
For more information about data privacy class actions in Australia, see our article here.
Regulatory Action
Regulation of data (including, but not limited to personal information) has become a key focus for Australian regulators in recent years.
In addition to the increased funding provisioned for privacy enforcement and other cybersecurity initiatives in the FY2023/24 budget (see our article here), various regulators have commenced enforcement actions which seek to apply more general obligations in a data/privacy context. For example, the following cases continued into this financial year:
OAIC v Meta Platforms, Inc & Anor (NSD 246/2020):
This case is concerned with allegations by the OAIC that Meta (then, Facebook), between 12 March 2014 to 1 May 2015:
disclosed personal information of Australian Facebook users to the ‘This Is Your Digital Life’ app (the app) in breach of Australian Privacy Principle (APP) 6 in circumstances where most users did not install the app themselves, and their personal information was disclosed via their friends’ use of the app;
did not take reasonable steps to protect its users’ personal information from unauthorised disclosure, in breach of APP 11; and
as a result, exposed the personal information of various Australians to the risk of being disclosed to Cambridge Analytica and used for political purposes.
in March 2020, the OAIC brought proceedings against Facebook (now Meta) in the Federal Court in relation to Cambridge Analytica. Facebook attempted to set aside service of the legal documents on the US-based entity. In September 2020, the Federal Court found the OAIC had established a prima facie case that Facebook carried on business and collected personal information in Australia within the meaning of the Privacy Act through, amongst other things, its installation of cookies on Australian devices. That finding was made in the context of an application by Facebook for leave to appeal an interlocutory decision upholding service on the US-based entity. Facebook appealed the September 2020 decision and, in February 2022, the Full Federal Court dismissed the appeal. In September 2022, Facebook was granted special leave to appeal to the High Court but, in March 2023, that special leave was revoked (because the matter no longer raised an issue of public importance following a change to the Federal Court’s procedural rules).
the substantive proceeding, in which the OAIC is seeking civil penalties against Facebook, has returned to the Federal Court for consideration.
ASIC v RI Advice [2022] FCA 496: in which the Federal Court read into Australian Financial Services License (AFSL) holders’ general duties an obligation to maintain adequate cybersecurity protections and mitigate…