Refugee Breach Tests Aussie Privacy Office Powers

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Murray Griffin

Sept. 30 — A data breach involving more than 9,000 unsuccessful applicants for refugee status in Australia raises important questions about the scope of the Privacy Commissioner's powers to order remedial action and has already led to an upheaval in the interpretation of immigration laws, lawyers say.

Privacy Commissioner Timothy Pilgrim is dealing with more than a thousand complaints from people affected by a February 2014 breach in which extensive personal details of 9,259 asylum seekers were made available on the website of the Department of Immigration and Border Protection. That improperly posted information was potentially accessible by the governments in the countries the individuals were fleeing.

The details remained on the website for nine days and were accessed 123 times from various Internet protocol addresses.

Although some believe the privacy commissioner has the inherent power to issue a remedial enforcement order requiring the government to allow the refugees to stay, others, including the privacy commissioner disagree.

Authority to Act?

Alec Christie, a partner at Ernst & Young in Sydney, told Bloomberg BNA that he considered it within the privacy commissioner's power under Section 52 of the country's framework data protection statute, the Privacy Act 1988, to declare that the affected people shouldn't be returned to their home country because of the potential harm caused to them by the breach.

Section 52(1)(b)(ii) of the statute gives the commissioner the power to make a declaration that an entity responsible for a harmful breach “must perform any reasonable act or course of conduct to redress loss or damage suffered by the complainant.”

The only qualifier in the Act is that it must be reasonable and redress any loss or damage suffered by those complaining about the breach, and the Commissioner's guide to privacy regulatory action doesn't specify any additional constraints.

According to Christie, the wording of the provision means it would be open to the Commissioner to conclude that a reasonable form of redress would be to declare that the department “cannot send them back to the country from which they fled.”

“He has got that power,” Christie said.

But Pilgrim, who heads the Office of the Australian Information Commissioner (OAIC), takes a different view.

“The Commissioner has no authority to order that the affected people not be returned to the country from which they came,” the office told Bloomberg BNA.

“The OAIC's outcomes generally include apologies, changes in practices and financial compensation,” the office said.

The OAIC declined to elaborate on the basis for its interpretation of Section 52 of the Privacy Act 1988.

General investigation

Pilgrim made highly critical observations of the department's performance in the reportof his own-motion investigation into the breach, issued in November 2014.

“The Commissioner has no authority to order that the affected people not be returned to the country from which they came.”

Office of the Australian Information Commissioner

The investigation concluded that the department had breached two Information Privacy Principles—which have since been replaced by the Australian Privacy Principles—constituting unlawful disclosure of personal information.

The Commissioner said in a statement announcing the release of the report that the incident was “particularly concerning due to the vulnerability of the people involved.”

Unresolved Complaints

Despite having received complaints from those affected, the Commissioner hasn't made determinations on any of them.

That has frustrated Sydney-based solicitor Michaela Byers who is acting for many of those affected. She told Bloomberg BNA that in mediation sessions concerning the data breach, the OAIC indicated all it could do was “rule on compensation.”

She added that several unsuccessful applicants who have made complaints to the Commissioner have already been deported.

“Every time we've got a deportation notice we've let them know and asked them to prevent that saying that the person still has an ongoing compliant with the Commissioner and they've refused to intervene in any shape or form,” she said.

Procedural Unfairness

Meanwhile, the data breach has already led to an adverse ruling against the department, with the Federal Court Sept. 2 finding that the department's inadequate response meant it had been “procedurally unfair” in its treatment of two unsuccessful asylum applicants.

The recent court ruling means the department must reassess the asylum seekers' applications to take proper account of the possible impact of the data breach.

The recent court ruling means the Department of Immigration and Border Protection must reassess the asylum seekers' applications to take proper account of the possible impact of the data breach.

The court noted that the head of the department wrote to the affected applicants in March, expressing deep regret and advising that the department “will assess any implications for you personally as part of its normal processes.”

But it subsequently gave one of the two applicants only 14 days to explain in writing the personal impact of the data breach, without fully explaining what the breach was or how it might have affected him.

Nor would the department give him a copy of a report it commissioned from consulting company KPMG on the breach.

“The department is requiring affected individuals to make submissions to it about the consequence of its own wrongful actions in disclosing their information to third parties without revealing to them all that it knows about its own disclosures,” the court said.

The department only acknowledged that other governments might have accessed the personal information, the court noted.

Yet it expected the applicant to show definitively that it had been accessed and by who, and that this access posed a significant risk, it said.

This approach “erects a process guaranteeing the claim will fail,” the court said.

Appeal Likely

Byers said she expects the government to appeal the lack of proper process ruling to the High Court, Australia's highest court, largely because of its implications for immigration legislation passed in December 2014.

The legislation authorized the fast-track deportation of unsuccessful applicants if their cases are determined through the International Treaties Obligation Assessment (ITOA) by removing the requirement to consider whether it was safe to send them back, she said.

The court's decision effectively undercuts the government's intent, she said.

'Absolute Wake-Up Call.'

Although the result of the commissioner's processes and the court case have life-changing ramifications for the applicants, Christie said that whatever the result it is likely to “put privacy on the map” in Australia.

By showing that it is possible for a privacy declaration to fundamentally cut across government policy or a departmental decision “this will be an absolute wake-up call,” he said.

Christie added that if the breach had occurred after the introduction of recent legislative changes that introduced fines for privacy offenses, the department's data breach would have been a good candidate for the A$1.7 million ($1.2 million) maximum penalty now available under the Privacy Act 2003.

To contact the reporter on this story: Murray Griffin in Melbourne at

To contact the editor responsible for this story: Donald G. Aplin at