Parallels between the US and AU cyber class action spaces
Following the news of multiple class actions against Optus and Medibank after their respective data breaches, this professor drew parallels between the US and Australia to assess similarities in class action trends between the two jurisdictions.
Professor John Swinson teaches privacy law and cyber security law at the University of Queensland. Speaking recently on The Lawyers Weekly Show, he discussed the state of affairs with privacy and cyber security class actions off the back of the recent hacks of Medibank and Optus — and compared Australia against other jurisdictions.
Similarly, following its own data breach, Optus is also facing two class actions, from Maurice Blackburn and Slater & Gordon, both announced in September last year.
While Professor Swinson emphasised that Australia remains fairly well-prepared for cyber attacks, there are a number of notable things going on in other markets, particularly the US, where privacy laws are a little more complicated.
“Most people in Australia, when you’re thinking of privacy, are thinking of the Privacy Act, which deals with informational privacy information about a person, so personal information. And dealing with data that’s being collected, so how is data collected used, disclosed, secured and so on? America started off with a much broader concept of privacy. In fact, a privacy law as we know it probably was invented in the United States in the 1890s,” he explained.
“There was a law review article by Warren and Brandeis called ‘The Right to Privacy’, 1890. And they were looking at how technology was interfering with people’s privacy, and technology, in that case, was a camera and how cameras were being used to take photographs of people in private events, weddings and family events, and then it was published in the newspaper.”
Out of that law review article, the “tort of privacy” was created, with the “tort of negligence” brought out in the late 1920s and early 1930s. The tort of privacy allowed individual citizens to bring a court case against businesses that interfered with their privacy, which was defined fairly broadly: intrusion upon seclusion and public disclosure of private facts, for example.
“Then the law of privacy developed into a constitutional theory. What does the constitution protect? What laws can be struck down as being in breach of your privacy? So, in 1965, the US Supreme Court struck down a law prohibiting the supply of contraceptives to married couples. And so that was looking at bodily privacy, or what you did in your own home. That wasn’t to do with informational privacy,” Professor Swinson explained.
“And those cases went on ... The most famous being Roe v Wade, the abortion case was a privacy case and then cases dealing with gay marriage and so on. And that all changed last year when the US court struck down Roe v Wade. And the question is, is there a constitutional right of privacy in the US? And that’s still uncertain. Some of the judges who struck down Roe v Wade said it only impacts this abortion case. It doesn’t take away the cases about gay marriage and contraception, for example.”
Therefore, there are acts in the US dealing with the protection of data collected by governments and protection of health data, but there’s not a broad privacy act dealing with how businesses should collect and deal with personal information, Professor Swinson explained.
“What’s happened in recent times is people in the US have seen what the large IT companies are doing, the large social media companies are doing, and have said, ‘We need protection.’ There [are] referendums in California that passed privacy laws through a citizen’s referendum. So, California has now got very strict privacy laws, stricter than Australia. And we’ve seen that there’s been a movement in the US to protect citizens, not just from the government, but from corporations in relation to privacy issues. And so that’s one big trend,” he said.
“The second trend is there [are] a lot more class action lawsuits in the US. Particularly in relation to health information, so hacking of hospitals and doctor’s offices and so on, cyber security in relation to that or just generally in relation to the tort of privacy. And so, lots of lawsuits in the US are quite significant.
“In the US, you’re seeing because of the number of people impacted, large numbers of people each getting a small amount of money. And so, the question for Australia is, well, we have less people in Australia. Is it worthwhile bringing a class action suit if there’s less people impacted? Is $200 multiplied by five million people or two million people enough to bring a class action lawsuit? 147 million people, clearly it is,” Professor Swinson continued.
“And I think litigation funders in Australia are starting to get interested in class action lawsuits because the amounts of money are significant when you’re looking at the number of people impacted. So, if it’s a small number of people with low impact, then less so. But Medibank Private and Optus are showing that there are big pots of money here.”
In terms of how to actually assess these damages, Professor Swinson said it could be hard to measure.
“In Medibank, there are people with all sorts of medical conditions, psychological, sexual and so on, that might actually impact your mental state in a way that would be assessed by the courts today. Or if your address is published, you might have to change houses. And so that can be measured. So, there are things you can measure. The real issue is to what extent does privacy protect your emotional wellbeing? And so, it could be like defamation where it impacts your emotional state,” he explained.
“If you knew that the records that were stolen from Medibank showed that you were HIV positive and no one in your family knew, none of the people at work knew, you’d have anguish. It doesn’t amount to medical psychotic injury, but it does impact your wellbeing. And that’s what privacy is to protect, what you don’t want people to know. So, the fact that people could soon know that, how much is that worth?
“And courts have said in certain cases in the US, Australia, in the Privacy Commission, and in the UK, that that kind of stuff can be protected by privacy, and you can get damages for that. But how we’ll assess it, we are not sure. And it would be very interesting to see how a court will deal with that because that’s what privacy is there to protect.”