By: Amanda Beattie, Kieran Doyle and Gavin Davies

At a glance

  • The latest instalment in one of the big stories of 2023 was delivered last week, with the Federal Court dismissing Medibank’s application to enjoin the Office of the Australian Information Commissioner (OAIC) from continuing its investigations into the 2022 cyber-attacks. The OAIC’s investigations can therefore continue in parallel with the Federal Court class action.

Medibank’s application

We covered the background to the injunction application in our earlier update here. In short, Medibank is currently being investigated by the OAIC in relation to the 2022 cyber-attacks and resulting data breach. These investigations were, in part, initiated by a representative complaint lodged on behalf of those whose personal data was leaked in the hack. On top of this, a separate class action against Medibank is being pursued in the Federal Court of Australia, again on behalf of victims of the data breach. In late 2023, Medibank applied for an injunction restraining the OAIC from continuing the investigations until after the Federal Court proceedings are resolved.

Medibank sought the injunction on the basis that the concurrent Federal Court proceeding and OAIC investigations give rise to a real risk of inconsistent factual and legal findings. Put another way, the risk perceived by Medibank was that the OAIC and the Federal Court would consider the same issues but come to different conclusions. This risk, Medibank contended, would amount to interference with the administration of justice and warranted an injunction prohibiting the OAIC from proceeding with its investigations.

The decision

In dismissing the application, Beach J explained that while he accepted Medibank’s recitation of the relevant legal principles to be considered, the application of those principles to the facts and context of this case did not warrant the granting of the injunction.

While a number of points are addressed in the judgment, Beach J’s overarching view was that the risk of inconsistent findings was too remote. In reaching this conclusion, the Court noted that:

  • OAIC determinations are not binding or conclusive, and enforcement of any such determination would require an application to the Court
  • in order for inconsistent findings to be made, the Federal Court action would need to proceed to trial and judgment, which is far from certain
  • the OAIC determination is likely to be made prior to the commencement of any trial of the class action, which is still estimated to be 18 months to 2 years away. Moreover, as docket judge on the Federal Court action, Beach J could all but ensure that to be the case, and
  • if the OAIC representative complainant sought to enforce the determination, the application could be bundled into the hearing of the Federal Court action, which would ensure that any ultimate findings were consistent.

It must be noted that the Court’s decision was made based on the present factual matrix, which Beach J accepted could change as the matters develop. Medibank is therefore not precluded from making a similar application in the future. Nevertheless, in circumstances where OAIC determinations are not binding or enforceable without application to the Court, it is difficult to see how the factual matrix could change so dramatically to alter the Court’s reasoning in this case.

Of course, it remains to be seen whether Medibank appeals the decision. In light of the novel issues raised in the application, and the novelty of the subject matter more generally, it would not be entirely surprising if Medibank pursued an appeal to the Full Federal Court. Either way, this is certainly not the last chapter in this story and future decisions will shape the future of data breach class actions in Australia. Stay tuned for further updates!