FEDERAL COURT OF AUSTRALIA

ALO16 v Minister for Immigration and Border Protection [2017] FCA 270

ORDERS

THE COURT ORDERS THAT:

1.    The appeal be dismissed.

2.    The appellant pay the first respondent’s costs of and incidental of the appeal to be taxed, if not agreed.

Note:    Entry of orders is dealt with in Rule 39.32 of the Federal Court Rules 2011.

REASONS FOR JUDGMENT

(REVISED FROM TRANSCRIPT)

LOGAN J:

1    The Administrative Appeals Tribunal (Tribunal) made its decision on the footing that the appellant was, as claimed, a citizen of India. The appellant came to Australia in January 2008. He arrived lawfully, as the holder of a student visa. In February 2010, that visa was cancelled. The appellant remained in Australia, pursuant to a bridging visa, issued during the pendency of his application for the review of that student visa cancellation decision. Whilst in Australia, the appellant came to be imprisoned, as a result of his being charged with, convicted of and sentenced for a breach of the criminal law. He was released from that imprisonment in July 2013, and thereafter placed in immigration detention.

2    In June 2015, whilst in immigration detention, the appellant applied for that type of visa, under the Migration Act 1958 (Cth), known as a protection visa. The basis of his claim to have a well-founded fear of persecution and a real risk of harm, were he to be returned to India, was that his personal details had been published online in a data breach incident concerning the database of the Department of Immigration and Border Protection in 2014. That publication online was, so he claimed, a “disaster which could lead to potentially anything”.

3    The appellant’s further claim was that he could potentially be harmed by anyone, but could not make more specific claims unless and until the Minister’s department provided him with details of who had accessed his personal information, released as a result of the departmental data breach. He claimed that, if such access were not provided, then the only course of action open was to be recognised as a refugee sur place. A delegate for the Minister for Immigration and Border Protection (Minister) refused the applicant’s protection visa application.

4    Thereafter, the appellant sought the review of the Minister’s delegate’s decision by the Tribunal. On 4 February 2016, for reasons given in writing, the Tribunal decided to affirm the Minister’s delegate’s decision not to grant the appellant a protection visa.

5    The appellant then sought the judicial review of the Tribunal’s decision by the Federal Circuit Court of Australia (Federal Circuit Court). On 21 October 2016, the Federal Circuit Court dismissed the appellant’s judicial review application.

6    The appellant now appeals to this Court against that order of dismissal. The Minister is the only active party respondent to the appeal.

7    I have had the benefit this afternoon of hearing oral submissions from both the appellant, who appeared on his own behalf, and counsel for the Minister, as well as considering the written submissions made by each of them. The appellant filed by leave in Court this afternoon a written outline of submissions.

8    The grounds of appeal are these:

1.    The Tribunal made a legal error in making a finding based on no evidence and/or false factual premise.

Particulars

a.    At [17] the Tribunal wrote:

The Tribunal put to him that it did not have the report and could not provide this information, but that in any event it may never be known who accessed the information as it may have been saved and passed on.

b.    At [21] the Tribunal wrote:

The Tribunal considers it unlikely the authorities in India became aware the applicant was in detention through information obtained as a result of the date breach. The Tribunal considers the material was available online for a short period of time and was accessed by a relatively small number of IP address.

c.    At [26] the Tribunal found that:

… the claim that there is a real chance the Indian authorities, or anyone else in India, would persecute the applicant because he spent time in detention in Australia, to far-fetched and mere speculation.

2.    The Tribunal made a legal error as it did not have the jurisdiction to make determine the data breach claim.

Particulars

a.    Jurisdiction is invested by the Privacy Act 1988 in the Office of The Australian Information Commission.

3.    The Tribunal made a legal error in asking itself the wrong question.

Particulars

a.    My claim was that I feared harm because the department disclosed my name, personal details and reason for detention in its website.

b.    Without access to the KPMG report I could not identify who had accessed my personal information and who I fear harm from.

c.    The finding at [26] the Tribunal asks itself the wrong question whether I would be persecuted because I spent time in detention in Australia.

9    The Minister’s primary position in respect of the appeal was that the grounds of appeal did not invoke the Court’s appellate jurisdiction, because they did not engage with the judgment of the Federal Circuit Court but, instead, took as their focal point the Tribunal’s decision. It may readily be accepted and the position is that it is appellate, not original, jurisdiction, which is conferred upon this Court and falls for exercise in this proceeding. Much less is it in any way, shape or form a permissible approach for this Court to take upon itself a role of merits review. Neither, for that matter, is that the role of the Federal Circuit Court.

10    The latter Court exercises an original judicial review jurisdiction. This Court exercises an appellate jurisdiction, where invoked, in respect of a judgment of the Federal Circuit Court in a matter such as the present. So much, notably, flows from what was said in Sathiyanathan v Minister for Immigration & Multicultural Affairs [2000] FCA 210.

11    There is, on one reading of the grounds of appeal, a basis for upholding the Minister’s contention as to an absence of engagement with the Federal Circuit Court’s judgment and a consequential failure to invoke appellate jurisdiction. It is possible to read the grounds more benignly when one looks at the context in which the asserted errors of the Tribunal are said in the notice of appeal to have been made. The appellant in the notice expressly takes as the challenged judgment, the order of the Federal Circuit Court. In context, it is possible to read the grounds as a series of allegations as to particular errors on the part of the Tribunal that the Federal Circuit Court ought to have found, particularly having regard to the prospects for the appellant if he returns to India and the Tribunal’s decision is, on the merits, wrong.

12    There is an importance, in my view, in the interests of justice, in disposing of the appeal on the basis that the asserted errors are those of the Federal Circuit Court in failing in one or other ways specified in the notice of appeal to find legal error and quash the Tribunal’s decision accordingly. An example of this type of approach, even where the Court reached a conclusion of an absence of engagement in a notice of appeal with the judgment of the Court below, is to be found in the judgment of Flick J is SZJHE v Minister for Immigration & Citizenship [2008] FCA 1771.

13    The data breach which occurred in the Minister’s department is set out at [20] of the Tribunal’s reasons. From that it emerges that, on 19 February 2014, the department received information that a database containing the personal information of around 10,000 detainees was available on its website. That was a lamentable breach of information security by the Minister’s department. It later came to be the subject of a report by KPMG (KPMG Privacy Breach – Data Management report of 20 May 2014). That report is publicly available only an abridged form and, in that form, was available to the appellant and the Tribunal. Excerpts of it are detailed in [20] of the Tribunal’s reasons.

14    That excerpt materially includes this statement in the report:

123 accesses via 104 unique internet protocol (IP) addresses attempted to retrieve the file at least once. Analysis of available data has provided the [department] with some indication of the likelihood of each IP address having access to the personal information of detainees.

15    Against that background, the Tribunal made these observations and reached these conclusions in respect of the appellant’s claim for a protection visa:

21.    The Tribunal considers it unlikely the authorities in India because aware the applicant was in detention through information obtained as a result of the data breach. The Tribunal considers the material was available online for a short period of time and was accessed by a relatively small number of IP addresses.

22.    The Tribunal accepts however the Indian authorities are probably aware of the applicant’s detention in Australia due to his application for a passport, which he authorised the Department to assist him with (f. 38 of the Department file). The Tribunal considers it likely the Indian authorities were also aware of his period of criminal detention in Australia. The question put to the applicant by the Tribunal was why his detention in Australia gave rise to a well-founded fear of persecution in India. The applicant was unable to provide reasons as to why there might be a real chance of persecution for reasons of race, religion, nationality, membership of a particular social group or political opinion.

23.    The Tribunal relies on the following information in the DFAT Country Information Report India (15 July 2015) to conclude that merely seeking protection in Australia may not give rise to a well-founded fear of persecution on return to India:

“5.21 DFAT is not aware of any credible reports of mistreatment of returnees by Indian authorities, including failed asylum seekers.”

24.    The applicant has not provided any independent country information to contradict the conclusion of the DFAT report.

25.    In any event the applicant was detained in Australia not because he applied for a Protection visa, but because he did not have a visa to remain here lawfully. The Tribunal has no credible information before it to indicate persons who have spent time in criminal or immigration detention outside of India are persecuted on return to India for this reason.

26.    The Tribunal finds the claim that there is a real chance the Indian authorities, or anyone else in India, would persecute the applicant because he spent time in detention in Australia, to be far-fetched and mere speculation. The Tribunal acknowledges the problem with police corruption in India, but also finds the chance of corrupt local police identifying the applicant as someone who spent time in detention in Australia and targeting him for persecution for this reason, is too remote to amount to a real chance and is mere speculation.

16    It followed from the conclusions reached by the Tribunal that the Tribunal member was not satisfied that the appellant had a well-founded fear of persecution by reason of his personal information being released in the data breach, or, for that matter, having spent time in detention in Australia.

17    Read in isolation, it is possible to regard the Tribunal’s statement as to access by a relatively small number of IP addresses at [21] as inconsistent with and evidencing a failure to appreciate the wider unknowability of exactly how many people or agencies came to know of data released or accessible as a result of the data breach, as described in observations made by the High Court in Minister for Immigration and Border Protection v SZSSJ (2016) 90 ALJR 901 (SZSSJ). The appellant drew attention to this case in the course of his submissions.

18    SZSSJ arose against a very different background, in terms of administrative decision making, to the present. That does not mean that the observations made by the High Court at [90] to [92] are completely irrelevant for present purposes. The Court there stated:

[90]    The assumption made in the ITOA process that their personal information may have been accessed by authorities in Bangladesh and China removed from the scope of factual inquiry any question of precisely who accessed their personal information as a result of the Data Breach. The assumption was sensible because the true extent of access to the personal information of each affected applicant must in practical terms have been unknowable. Once downloaded from the Department’s website, the document containing the personal information of the 9,258 visa applicants could have been forwarded to and interrogated by anyone, anywhere and at any time. Attempting to make a finding about precisely who had obtained access to the personal information of any one of them, and when, might be expected to have been a hopeless endeavour.

[91]    Sensibly interpreted and applied in the context of making an assessment of whether the Data Breach engaged Australia’s non-refoulement obligations with respect to them, the assumption was not simply that some of their personal information might have been accessed by some authorities. The assumption was rather that all of their personal information had been accessed by all of the persons or entities from whom they feared persecution or other relevant harm. That is how the assumption was in fact interpreted and applied by the officer who conducted SZTZI’s ITOA and how it could reasonably be expected to be interpreted and applied in the conduct of SZSSJ’s ITOA.

[92]     SZSSJ and SZTZI were not deprived of any opportunity to submit evidence or to make submissions relevant to the subject-matter of the ITOA process as a result of not having such further information as might be inferred to have been contained in the unabridged version of the KPMG report. Exactly how and why the Data Breach occurred was simply not relevant to the question of whether one or more of Australia’s non-refoulement obligations were engaged in respect of them. And irrespective of what the unabridged KPMG report might have to say about the identities of the 104 IP addresses from which the document had been accessed during the 14 day period of the Data Breach, the fact would remain that once the document was downloaded the personal information of SZSSJ and SZTZI could have been accessed by anyone. Even if the unabridged KPMG report might have allowed SZSSJ and SZTZI to prove by reference to the report that one or more of those IP addresses were associated with persons or entities from whom they feared harm, that proof would advance their cases for engagement of Australia’s non-refoulement obligations no further than the assumption already made in their favour.

19    It may readily be accepted that an illogical finding in respect of a material fact relevant to determining whether one is satisfied that protection visa criteria have been met, can amount to jurisdictional error, and that a failure on the part of the Federal Circuit Court to so hold could give rise to appealable error. Read in isolation, and once one is seised with the reasoning in respect of the data breach evident in the passages quoted from SZSSJ, it is possible to regard [21] of the Tribunal’s reasons as deficient and not taking into account a relevant consideration in the circumstances, which is that the true number of persons to whom the identities may become known is not limited by the small number of detected IP address accesses, as opposed an indeterminately large number.

20    It is a mistake, though, to read the reasons of any administrator, including the Tribunal, narrowly and with an eye for error. Read as a whole and, in particular, reading [23] and [24], it becomes apparent that the Tribunal has assumed in the appellant’s favour that there was a wider disclosure or, at least, a disclosure which materially included authorities in India. The conclusion reached by the Tribunal, which was one reasonably open, having regard to the DFAT report mentioned, was that there is no basis for concluding that a mere seeking of protection in Australia will give rise to a well-founded fear of persecution on return to India.

21    The Tribunal separately assessed, and also concluded, that there was an absence of a well-founded fear of persecution arising from a conceded likelihood by the Tribunal that the authorities in India knew or would come to know of his detention for breaches of our criminal law. It may also readily be accepted that persons who have sought, but failed, in asylum claims could be regarded as members of a particular social group. It is just that, on the facts of this case, the Tribunal’s conclusion was that persons in such a group, so far as India was concerned, could not have a well-founded fear of persecution by reason of membership of that particular social group.

22    The Federal Circuit Court did not, as I read the reasons for judgment, go so far as referring expressly to the assumption that I have mentioned flowing from [23] and [24] of the Tribunal’s reasons. The Federal Circuit Court’s focus was on the Tribunal acting upon the information which it had before it, which materially included the abridged, rather than the unabridged, report. The Federal Circuit Court concluded that, on the material the Tribunal did have which included that unabridged report, it had reached a conclusion about whether it was satisfied that the appellant had a well-founded fear of persecution which was reasonably open to it.

23    Even if one reads the appeal grounds as I apprehend the appellant would wish, given his reference to SZSSJ, the result is no different in relation to the data breach related issue.

24    The appellant also relied before the Federal Circuit Court upon an asserted breach of the Privacy Act 1988 (Cth) (Privacy Act) in respect of the data breach. The difficulty with this, and it is one expressly dealt with by the Federal Circuit Court, is that the Tribunal did not, as the Federal Circuit Court held, purport to determine whether there was any breach of the Privacy Act. Further, and even more materially, even if there were, the Tribunal had no merits review role to play in respect of any such breach.

25    Yet further, even if there were such a breach, the breach itself was not relevant to the question of whether the appellant was a person to whom Australia owed a protection obligation under the Migration Act. The reference to and reliance upon the Privacy Act by the appellant was quite irrelevant to the proceedings before the Tribunal, the Federal Circuit Court and this Court.

26    It only comes to this. It was immaterial as to whether the appellant did or did not have access to the unabridged version of the KPMG report. The Tribunal dealt with the evidence before it, which included the abridged version. It made an assumption, which I have mentioned, in the appellant’s favour and it reached a conclusion reasonably open on material before it as to an absence of a well-founded fear of persecution on the part of the appellant, having regard to the claim as made by him. It necessarily follows that the appeal must be dismissed.

Associate:    

Dated:    22 March 2017