Group complaint lodged with the Information Commissioner against Optus for data breach involving 50,000 customers in October 2019
April 27, 2020 |
Lawyers weekly has just reported that Maurice Blackburn has made a representative complaint against arising out of a data breach in October 2019. It is the first representative complaint made under the Privacy Act 1988. It seems 2020 is proving to be an active year for use of the Privacy Act with the Commissioner commencing civil penalty proceedings, for the first time, and now this representative complaint.
Maurie Blackburn describes the complaint as:
Maurice Blackburn has made a representative complaint with the Office of the Australian Information Commissioner against SingTel Optus Pty Ltd trading as Optus for a breach of the Privacy Act 1988 (Cth).
The complaint concerns the mistaken disclosure of customer data by Optus.
In October 2019, Optus wrote to customers to tell them that it had mistakenly released names, addresses and phone numbers and as a result, this information was:
-
- Listed online at whitepages.com.au;
- Potentially printed in the local printed White Pages;
- Listed with operator directory assistance; and
- Possibly listed in other smaller online directories.
If you received the following letter* and feel you have been adversely impacted please register here or contact us via optusclassaction@mauriceblackburn.com.au or call us on 1800 318 061
It has also linked the reporting of the breach here. It was also reported in Australian Privacy Breach: Thousands of Optus mobile numbers mistakenly published in White Pages and by itnews in Optus snafu prints 50k private mobile numbers in White Pages as well as other platforms.
The common theme of the stories was that nearly 50,000 customers names, addresses, mobile and home phone numbers were wrongly published in the White Pages without the customers’ consent.
A representative complaint can be made under section 36 provided the preconditions set out in section 38 are met. Section 36 provides:
(1) An individual may complain to the Commissioner about an act or practice that may be an interference with the privacy of the individual. (2) In the case of an act or practice that may be an interference with the privacy of 2 or more individuals, any one of those individuals may make a complaint under subsection (1) on behalf of all of the individuals.
(2A) In the case of a representative complaint, this section has effect subject to section 38
(3) A complaint shall be in writing.
(4) It is the duty of:
(a) members of the staff of the Commissioner; and
(b) members of the staff of the Ombudsman who have had powers of the Commissioner delegated to them under section 99;
to provide appropriate assistance to a person who wishes to make a complaint and requires assistance to formulate the complaint. (5) The complaint shall specify the respondent to the complaint.
(6) In the case of a complaint about an act or practice of an agency:
(a) if the agency is an individual or a body corporate, the agency shall be the respondent; and
(b) if the agency is an unincorporated body, the principal executive of the agency shall be the respondent.
(7) In the case of a complaint about an act or practice of an organisation, the organisation is the respondent.
Note: Sections 98A to 98C contain further rules about how this Part operates in relation to respondent organisations that are not legal persons.
(8) The respondent to a complaint about an act or practice described in subsection 13(2), (4) or (5), other than an act or practice of an agency or organisation, is the person or entity who engaged in the act or practice.
The requirements in section 38 are:
(1) A representative complaint may be lodged under section 36 only if:
(a) the class members have complaints against the same person or entity; and
(b) all the complaints are in respect of, or arise out of, the same, similar or related circumstances; and
(c) all the complaints give rise to a substantial common issue of law or fact.
(2) A representative complaint made under section 36 must:
(a) describe or otherwise identify the class members; and
(b) specify the nature of the complaints made on behalf of the class members; and
(c) specify the nature of the relief sought; and
(d) specify the questions of law or fact that are common to the complaints of the class members.
In describing or otherwise identifying the class members, it is not necessary to name them or specify how many there are
(3) A representative complaint may be lodged without the consent of class members.
The Lawyers Weekly article, Optus in Optus hit with class action over data breach impacting 50,000 Aussies, provides:
Maurice Blackburn has hit the nation’s second largest telco with a class action lawsuit with the firm saying it will be “an important test of Australia’s privacy laws”.
The class action stems from Optus allegedly revealing the personal information of 50,000 customers, including their home addresses.
The legal action is understood to be the “first of its kind” against a telco for a breach of privacy.
Maurice Blackburn Lawyers filed the complaint with the Office of the Australian Information Commissioner against SingTel Optus Pty Ltd for a breach of the Privacy Act 1988 (Cth).
Maurice Blackburn senior associate Elizabeth O’Shea said privacy breaches are an increasing problem as companies become increasingly entrusted with personal information.
“When people share personal information about themselves with companies, especially large ones, they expect that data to be held securely, and for it to be used only in lawful ways,” she said.
The class action alleges Optus failed to meet its duty to customers by disclosing their personal information that was originally collected for another purpose, including through placing their information in phone directories, which the firm said customers didn’t consent to.
The action also alleges the telco failed to take the proper steps to protect its customers’ privacy.
The data breach was discovered by Optus during a routine audit of 10 million customers in October last year.
Optus told nearly 50,000 customers that their name, address, mobile and home phone numbers had been wrongly published in the White Pages, run by Sensis, against their wishes.
Under the Privacy Act, corporations which disclose personal details of clients face penalties including fines.
But until now no class action using the Act has been brought on behalf of customers seeking compensation. Under the Act, consumers may be compensated for privacy breaches.
“Too often we see reports of data mismanagement and it’s time for companies to be held accountable for this,” Ms O Shea said.
“Bad practices in data management can have real world consequences for people, and to make companies understand that, we will need to start taking them to court.”
According to Maurice Blackburn Lawyers, it will be the first time a class action using the Act has been brought on behalf of customers seeking compensation.
Lawyers Weekly understands that if successful, the action could see Optus have to fork out anywhere up to $40 million or more.
At the risk or being too technical a representative complaint is not a class action. As to how the figure of $40 million was arrived at as a possible award is far from clear.