Letter / Media Release
This is an update on the Latitude Financial Services privacy breach.
Letter / Media Release
Dear Registrant,
We last wrote to you on 23 November 2023.
Current group claims
As you likely know, we have filed complaints against Latitude with:
- the Australian Privacy Commissioner (Privacy Commissioner); and
- the New Zealand Privacy Commissioner (NZOPC).
In November, the Australian Privacy Commissioner gave us a preliminary indication that our representative complaint has been accepted. As at the date of this update, we have not yet heard from the NZOPC.
Privacy Commissioners’ Investigation
In our last update, we told you that the Privacy Commissioners’ investigation would be a slow process. This is not unusual in privacy investigations.
For instance, in complaints filed in other data breach cases, it has taken many months for the Privacy Commissioner to move a complaint through the first stages.
As soon as we hear further information from the Privacy Commissioners, we will notify you.
Recent developments in other data breach cases
In our last update, we told you that some other data breach cases were coming up for hearing – and the outcomes of those hearings might be relevant to your case.
These hearings have now happened. These cases are only in Australia.
For the Medibank data breach, there is a complaint with the Privacy Commissioner and also a Federal Court being heard at the same time. Medibank made an application to the Court to try to stop the Privacy Commissioner complaint. Medibank argued that it was unfair for them to have to respond to the Privacy Commissioner complaint and a class action at the same time. The Court disagreed. The Court refused to stop the Privacy Commissioner complaint because it said unfairness to Medibank and the class action was only ‘hypothetical’ at this early stage. This is important because it establishes that, at least at an early stage, both avenues of complaint can be run at the same time. Until now, no court had provided a judgment in relation to that issue.
Next, there were different representative complaints filed with the Privacy Commissioner for the Optus data breach. The Federal Court was asked to consider whether the Privacy Commissioner should only consider the complaint that was made first in time. The Federal Court found that the Privacy Commissioner should not be not stopped from considering the second later complaint. This is relevant to the Latitude investigation because the Privacy Commissioner has confirmed that there were multiple representative complaints filed for the Latitude data breach. The Privacy Commissioner has indicated that our complaint was first in time.
Next Steps
The next step is for the Commissioner to formally accept our complaint. In November, they indicated this would occur soon, but we are still waiting for this confirmation. We have now written to the Privacy Commissioner more than 6 times seeking a further update.
Although progress is slow, both the Australian and New Zealand Privacy Commissioners can order Latitude to pay you financial compensation if the representative complaints are successful. However, given the delays already experienced in this case and the time taken in other privacy investigations launched with the Privacy Commissioner, we expect it to be a long road before any final decision is made. We will of course seek to accelerate this process as best we can.
Gordon Legal & Hayden Stephens and Associates
