Representative proceedings for alleged interferences with privacy (Privacy Class Actions) have recently emerged as an opportunity for class action proponents, particularly following high-profile cyber incidents (eg Optus and Medibank). They are attractive to plaintiff law firms and litigation funders given: large class sizes (often in the millions), easily identified group members (identified through the respondents’ mandatory notification obligations), and elevated public awareness making it easier to register large numbers of individuals.
Until legislative amendments introduced in the review period, there was no clear direct cause of action for breaches of privacy. To date, groups of impacted individuals have typically sought relief using the ‘representative complaint’ mechanism under the Privacy Act which allows for group compensation claims to be made directly to (and determined by) the OAIC for breaches of the Australian Privacy Principles (APPs). In some cases, different firms have filed a class action proceeding with the Court and a representative complaint with the OAIC on behalf of the same class in respect of the same data breach.
The scale and appetite for a remedy accessible by consumers is underscored by the OAIC’s latest statistics. In 2024, a record 1,113 data breaches were reported, representing a 25% increase from 893 notifications in 2023. Malicious and criminal attacks remain the main source of breaches, accounting for 69% of notifications in the second half of the year, with 61% of those being cyber security incidents. Health service providers and the Australian Government were the most affected sectors, together accounting for 37% of all breaches. The OAIC’s report highlights the increasing risks to Australians’ privacy and the need for organisations and agencies to step up privacy and security measures, as well as to ensure timely breach notifications.
Recent reforms to the Privacy Act have potentially shifted the landscape by introducing both:
- a direct cause of action for breach of privacy (the new statutory tort for serious invasions of privacy), and
- an avenue for individuals to claim compensation from the Court where the Australian Information Commissioner (AIC) is seeking a civil penalty against the entity for breach of the APPs (the new s80UA).
While the impact of these reforms is uncertain, we take a look at the possible future implications for Privacy Class Actions — and in particular, the following key questions facing applicants:
- Federal Court v the OAIC: which will emerge as the forum of choice?
- Statutory tort v s80UA: which avenue to compensation will prove more fruitful?
Existing Landscape
Historically, claimants faced a choice between 2 forums.
|
1
|
2
|
Example
uses 2
|
|
CLASS ACTION PROCEEDINGS IN COURT
|
REPRESENTATIVE COMPLAINT TO THE OAIC
|
|
In both the Medibank and Optus examples, the respondents are presently facing class actions in the Federal Court and a representative complaint before the OAIC, in addition to civil penalty proceedings brought by the OAIC (and, in the case of Optus, the Australian Communications and Media Authority (ACMA)).
The Privacy Act Reforms
Passed on 29 November 2024 (and effective from 10 June 2025), the Privacy and Other Legislation Amendment Act 2024 (Cth) introduced 2 important reforms:
|
Statutory Tort (Sch 2)
|
Section 80UA
|
Example
uses 2
|
|
Under the direct right of action, plaintiffs must prove:
Proof of actual damage is not required, but harm may be relevant to ‘seriousness’ and remedies. Remedies include damages (including emotional distress), injunctions, apologies, and others. Exemptions apply to journalists and others (including intelligence and law enforcement). |
In a civil penalty proceeding commenced by the AIC, the Court can now make orders:
An application for compensation under s80UA can be made by the Commissioner, or an affected individual. An order can be made if the Court has, or will, determine that an entity has contravened a civil penalty provision. |
|
Strategic Implications for Class Action Risk
The reforms made no change to the representative complaint mechanism, which remains available as a pathway for groups of individuals to seek compensation for breaches of the APPs.
The limitations of the pre-existing representative complaint mechanism (opaque processes, non-binding determinations, and lack of clear mechanism to achieve returns on investment) mean that the statutory tort may be preferred where the defendant’s conduct by the defendant meets the test – but the requirements that the interference be ‘serious’ and result from intentional or reckless conduct may limit its viability, particularly in cyber breach cases. It is likely that applicants will continue to plead other causes of action (breaches of contract and confidence, misleading or deceptive conduct, negligence) at least until there is clear authority on the scope of the tort.
The availability of relief under s80UA depends entirely on the AIC seeking a civil penalty (and whether the AIC also applies for compensation orders under s80UA itself, as in Optus). For defendants, the new provision may make settling civil penalty proceedings with the AIC more complex, as any admissions leading to the imposition of a civil penalty can be relied upon directly by claimants to enliven compensation claims (including for non-economic loss).
When multiple pathways run in parallel — individual OAIC complaints, representative complaints, class actions under the statutory tort, and OAIC civil penalty proceedings — the interaction between them can create procedural complexity that may affect available remedies, timing, exposure for defendants and res judicata considerations. Different limitation periods, evidentiary rules, and liability thresholds apply across the different forums. In this regard, see the Competing systems of redress section of The Review.
A stark example of this complexity is Optus. As a result of the 2022 data breach, Optus is now subject to:
- 3 consumer claims, comprising 2 representative complaints before the OAIC lodged by Johnson Winter Slattery (October 2022) and Maurice Blackburn (April 2023) for breach of the APPs, and a class action in the Federal Court filed by Slater and Gordon (April 2023) claiming, among other things, negligence and breach of contract, and
- 2 civil penalty proceedings filed by the ACMA (in May 2024) and the AIC (in August 2025) for interferences with privacy. The AIC’s claim also includes a claim for consumer compensation under the new s80UA (an avenue not available to the class action claimants at the time of filing).
The Court is now considering the most appropriate way to manage the overlapping allegations, claims and group members across all proceedings involving multiple forums, regulators and causes of action.
Background: In March 2020, the OAIC commenced civil penalty proceedings in the Federal Court (NSD 246/2020) over the Cambridge Analytica matter (where Facebook users’ information was disclosed to third parties and risked being used for political profiling purposes), alleging serious or repeated interferences with privacy (s13G) affecting an estimated 311,127 Australian users.
Outcome: On 17 December 2024, the OAIC accepted an enforceable undertaking from Meta under s114 of the Regulatory Powers (Standard Provisions) Act 2014, establishing a $50m payment program for eligible users. The OAIC discontinued the civil penalty proceedings — and the undertaking was accepted on a no-admissions basis and includes independent administration of the scheme.
Why it’s interesting: Resolving the Federal Court proceeding via an enforceable undertaking delivered a compensation pathway without declarations of contravening conduct or the imposition of a civil penalty.
Practice point: For organisations facing overlapping enforcement and litigation risk, early, coordinated engagement with the OAIC can streamline resolution and minimise duplicative proceedings — especially where forward-looking remediation and a pragmatic compensation mechanism can be agreed with the OAIC. A resolution of this kind is likely to be attractive for defendants, particularly now given the risk of a compensation order under s80UA in a civil penalty proceeding – but may be very difficult to achieve now that the regulator has a statutory pathway to achieve both a penalty and compensation.
King & Wood Mallesons acted for Meta Platforms, Inc.
