Accessibility Links
Home
Main Menu
Jurisdiction
Judges
Registrars
Courts & TribunalsAdministered by the Federal Court
International Programs
Freedom of Information
Media GuideInformation for journalists
Corporate Information Reports, plans and other publications
National Court Framework
Employment
Access to Court Files & Transcript
Check the progress of a caseListing dates, Orders & links to judgments
Research Requests
Registry ServicesWhat Registries can & cannot do
Interpreters
Help for people with disabilities
Technology and the Court
Powers of a Registrar
Assisted Dispute Resolution (ADR)
Subscribe to Judgments & Events by NPA; Practice News, Daily Court Lists and more
National Practice Areas (NPAs)
Court Rules, Acts & Regulations
Practice Documents
Class Actions
Consultation & Liaison User group meetings, Harmonised Rules Committees (Bankruptcy & Corporations)
Appeals
Guides Including Bankruptcy, Corporations, Migration, Administrative & Constitutional Law and Human Rights; Communicating with the Court; Expert witnesses.
Use of Communication Devices
Forms Prescribed Under: Other Forms:
Difference Between Fees & Costs
Court Fees About Court fees including exemptions, deferral & refunds
Filing Filing & lodgement
Legal Costs
Interest Rates Pre-judgment & post-judgment interest rates
Court Sitting Dates
  • 2026
    • 2 February - 18 December
  • 2027
    • 1 February - 17 December
Full Court & Appellate Sitting Dates
  • 2026
    • 2 - 27 March
    • 27 July - 28 August
    • 2 - 27 November
  • 2027
    • 22 February - 19 March
    • 26 July - 27 August
    • 1 - 26 November
Daily Court Lists
Select state
Select a state registry to view the current court list: Select a state registry to view the current court list.
click map Western Australia Northern Territory South Australia Queensland New South Wales Victoria Tasmania Australian Capital Territory Australia
Register to receive daily court lists by email soon after they are published. Subscribe
Future Listings Find future hearing times and dates. Go to Federal Law Search
Library
Annual Reports
Judges' Speeches Current and former judges, including Welcome and Farewell ceremonies
Videos & Podcasts Videos, podcasts and online streaming
GlossaryGlossary of legal terms
Judgments About the judgments collection, including FAQs
I am a Party -
Information for Litigants
Jury Service
I am a Practitioner I am a witness I have been Subpoenaed
Guides
Online Services
You are here:

Federal Court of Australia

Saffari v Latitude Financial Services Australia Holdings Pty Ltd [2024] FCA 573

File number(s):

NSD 519 of 2023

Judgment of:

PERRY J

Date of judgment:

4 June 2024

Catchwords:

PRACTICE AND PROCEDURE – application for joinder of parties where no reasonable cause of action is pleaded against any proposed respondentsapplication for leave to amend originating application and to file a statement of claim where no actual loss or damage pleaded for alleged claims in negligence and under the Civil Liability Act 2002 (NSW) – where proposed pleadings do not establish a contractual relationship between the applicant and respondent – where proposed pleadings do not meet statutory criteria for claims under Privacy Act 1988 (Cth), Corporations Act 2001 (Cth) or Competition and Consumer Act 2010 (Cth) – whether proceedings should be dismissed under rule 5.23(1)(b) of the Federal Court Rules for failure of the statement of claim to articulate an arguable cause of action – application dismissed

Legislation:

Competition and Consumer Act 2010 (Cth) ss 4K, 82; Schedule 2 (Australian Consumer Law) s 13, 54, 60, 259, 267

Corporations Act 2001 (Cth) ss 167A, 912A, 1324

Federal Court of Australia Act 1976 (Cth) ss 31A, 37M, 37N

Privacy Act 1998 (Cth) ss 25, 25A, 28, 52, 55A, 80U, 93, Schedule 1 (Australian Privacy Principles), principle 11

Federal Court Rules 2011 (Cth) rr 5.22, 5.23, 8.05, 8.21, 9.05, 16.53

Civil Liability Act 2002 (NSW) ss 11A

Cases cited:

ASIC v RI Advice Group Pty Ltd [2022] FCA 496

Austen v Civil Aviation Authority (1994) 50 FCR 272

Brisbane Slipways Operations Pty Ltd v Pantaloni (2010) 270 ALR 13; [2010] FCA 654 at [154]

Brookfield Multiplex Ltd v Owners Corporation Strata Plan 61288 (2014) 254 CLR 185

Day v Lynn [2003] FCA 879

DOQ17 v Australian Financial Security Authority (No 3) [2019] FCA 1488

DOQ17 v Australian Financial Security Authority [2018] FCA 56

McCracken v Phoenix Constructions (Qld) Pty Ltd [2012] QCA 129; [2013] 2 Qd R 27

Review Australia Pty Ltd v Redberry Enterprise Pty Ltd [2003] FCA 1009

Roberts-Smith v Roberts [2022] FCA 18

Sellars v Adelaide Petroleum NL (1994) 179 CLR 332

Spencer v Commonwealth [2010] HCA 28; (2010) 241 CLR 118

Sydney Water Corporation v Turano [2009] HCA 42; (2009) 239 CLR 51

Tamaya Resources Limited (in liq) v Deliotte Touche Tohmatsu (A firm) [2016] FCAFC 2

Tamaya Resources Limited (in liq) v Deloitte Touche Tohmatsu (A Firm), in the matter of Tamaya Resources Limited (in liq) [2015] FCA 1098

Tamaya Resources Ltd (In Liq) v Deloitte Touche Tohmatsu (A Firm) [2016] FCAFC 2; (2016) 332 ALR 199

Wardley Australia Limited v The State of Western Australia (1992) 175 CLR 514

Wilson v Rigg (2002) 36 MVR 451; [2002] NSWCA 246

Division:

General Division

Registry:

New South Wales

National Practice Area:

Other Federal Jurisdiction

Number of paragraphs:

64

Date of last submissions:

30 April 2024

Date of hearing:

2 May 2024

Counsel for the Applicant:

The applicant was self-represented.

Counsel for the Respondent:

Mr H Atkin

Solicitor for the Respondent:

King & Wood Mallesons

Counsel for the Second Prospective Respondent:

Mr JR Williams SC and Mr LG Moretti

Counsel for the Third Prospective Respondent:

Mr J Foley

Solicitor for the Third Prospective Respondent:

Clyde & Co

Counsel for the Fourth Prospective Respondent:

Mr H Atkin

Solicitor for the Fourth Prospective Respondent:

King & Wood Mallesons

ORDERS

NSD 519 of 2023

BETWEEN:

SHAHRIAR SAFFARI

Applicant

AND:

LATITUDE FINANCIAL SERVICES AUSTRALIA HOLDINGS PTY LTD

Respondent

DXC TECHNOLOGIES AUSTRALIA HOLDINGS PTY LTD

Second Prospective Respondent

CROWDSTRIKE AUSTRALIA PTY LTD

Third Prospective Respondent

LATITUDE FINANCE AUSTRALIA

Fourth Prospective Respondent

order made by:

PERRY J

DATE OF ORDER:

4 June 2024

THE COURT ORDERS THAT:

1.    The applicant’s interlocutory applications filed on 16 January and 13 February 2024 (the applicant’s interlocutory applications) are dismissed.

2.    The proceeding is dismissed under rule 5.23(1)(b) of the Federal Court Rules 2011.

3.    The applicant is to pay the respondent’s costs as agreed or taxed.

4.    The applicant is to pay the costs of, and incidental to, the applicant’s interlocutory applications, of DXC Technology Australia Holdings Pty Ltd, CrowdStrike Australia Pty Ltd and Latitude Finance Australia, as agreed or taxed.

Note:    Entry of orders is dealt with in Rule 39.32 of the Federal Court Rules 2011.

REASONS FOR JUDGMENT

PERRY J:

1.    INTRODUCTION

1    At the heart of the applicant’s complaint is a data breach which allegedly resulted in the access of his personal information held by Latitude Finance Australia (LFA) (formerly known as GE Capital Finance Australia) by malicious third-parties. LFA, an unlimited public company, is a wholly owned subsidiary of the respondent, Latitude Financial Services Australia Holdings Pty Ltd (LFA Holdings) (together, the Latitude entities). LFA Holdings does not hold a credit licence or provide credit to customers but is the main operating entity of the Latitude group in Australia. It employs all staff and provides operational services. LFA holds a credit licence and is the issuer of all Latitude-branded credit cards, including the credit card issued to the applicant.

2    By way of an originating application filed on 2 June 2023, the applicant seeks damages in negligence, breach of confidence, and under various statutory provisions, as well as declaratory and injunctive relief, against the respondent, LFA Holdings. The originating application was not accompanied by a statement of claim or concise statement contrary to r 8.05 of the Federal Court Rules (2011) (Cth) (FCR).

3    On 16 January and 13 February 2024, the applicant filed interlocutory applications seeking orders:

(1)    joining DXC Technology Australia Holdings Pty Ltd as the second respondent to the proceeding pursuant to 9.05 of the FCR;

(2)    joining CrowdStrike Australia Pty Ltd as the third respondent to the proceeding;

(3)    joining LFA as the fourth respondent to the proceeding;

(4)    granting leave to the applicant to file an amended originating application pursuant to 8.21 of the FCR; and

(5)    granting leave to the applicant to file a proposed statement of claim pursuant to 16.53 of the FCR.

4    The applicant clarified at the hearing that he did not press the interlocutory application filed on 26 September 2023 which sought some of the same interlocutory orders.

5    The applicant claims that DXC Technology and CrowdStrike were responsible for different components of the Latitude entities’ cybersecurity: Proposed Statement of Claim dated 12 February 2024 at [5] and [7].

6    The applicants interlocutory applications were supported by affidavits affirmed by him on 26 September 2023, 10 January 2024 and 12 February 2024. The applicants proposed amended originating application and proposed statement of claim were annexed to the last of these affidavits and superseded earlier proposed versions. The proposed pleadings assumed that the applications for joinder against each of the proposed respondents would be successful. The applicant also provided written submissions in chief and reply prior to the hearing, and immediately before the hearing, provided (without objection from the respondent or prospective respondents) a further set of submissions described by him as an Aide Memoire.

7    By orders dated 28 February 2024, I granted each of the proposed respondents leave to intervene in the proceeding with respect to the joinder applications. Each of the proposed respondents opposed the applications for joinder. The Latitude entities also read the affidavit of Mikkeli Godfree, solicitor, affirmed on 8 February 2024 (Godfree affidavit). CrowdStrike read the affidavit of John Paul Moran, solicitor, affirmed on 8 February 2024.

8    The Latitude entities filed joint written submissions opposing the application. At the hearing, they also made an oral application for dismissal of the proceeding pursuant to FCR rule 5.23(1)(b) on the basis that the applicant was in default of rule 8.05(1). That application had been foreshadowed in correspondence from the respondents solicitors to the applicant on 11 July 2023, 27 November 2023, 24 January 2024, and 8 February 2024, as well as being addressed by them in written submissions filed in advance of the hearing. This correspondence was annexed to the Godfree affidavit and explained in clear terms why the respondent considered that the claim was defective in law.

9    In these circumstances and given that the applicant in fact made submissions orally opposing that application in the course of submitting that the r 5.23(1)(e) of the FCR application should be deferred, as well as in his written reply, I was satisfied that the applicant would not suffer prejudice if the Latitude entities’ application was heard at the same time as the applicant’s interlocutory application. I also agree with the Latitude entities that this course best served the overarching purpose in ss 37M and 37N of the Federal Court of Australia Act 1976 (Cth) (FCA Act) by facilitating the just resolution of the dispute according to law and as quickly, inexpensively and efficiently as possible.

10    For the reasons set out below, the applicants interlocutory applications filed on 10 January 2024 and 12 February 2024 are dismissed and the proceedings are dismissed under FCR r 5.23(1)(b).

2.    RELEVANT PRINCIPLES

2.1    Joinder

11    Rule 9.05(1) of the FCR provides that:

A party may apply to the Court for an order that a person be joined as a party to the proceeding if the person:

(a)    ought to have been joined as a party to the proceeding; or

(b)    is a person:

(i)    whose cooperation might be required to enforce a judgment; or

(ii)    whose joinder is necessary to ensure that each issue in dispute in the proceeding is able to be heard and finally determined; or

(iii)    who should be joined as a party in order to enable determination of a related dispute and, as a result, avoid multiplicity of proceedings.

12    The relevant principles are well established. To obtain an order for joinder, it is necessary (but not sufficient) for a party must show that they have an arguable case against the proposed respondent, at least to the standard of being able to resist an application for summary judgment by the proposed respondent: Brisbane Slipways Operations Pty Ltd v Pantaloni (2010) 270 ALR 13; [2010] FCA 654 at [154]; Review Australia Pty Ltd v Redberry Enterprise Pty Ltd [2003] FCA 1009 at [5] (Heerey J); DOQ17 v Australian Financial Security Authority [2018] FCA 561 (DOQ17 (No 1) at [74] (Perry J), see also Roberts-Smith v Roberts [2022] FCA 18 at [144] (Bromwich J) and the authorities there cited. That standard is identified in s 31A(2)(b) of the FCA Act which provides for summary dismissal (i.e. dismissal without a trial) where the Court is satisfied that the other party has no reasonable prospect of successfully prosecuting the proceeding or that part of the proceeding. With respect to s 31A, French CJ and Gummow J explained in Spencer v Commonwealth [2010] HCA 28; (2010) 241 CLR 118 at [22], that the section:

… will apply to the case in which the pleadings disclose no reasonable cause of action and their deficiency is incurable. It will include the case in which there is unanswerable or unanswered evidence of a fact fatal to the pleaded case and any case which might be propounded by permissible amendment. It will include the class of case in the long-standing category of cases which are “frivolous or vexatious or an abuse of process”. The application of s 31A is not, in terms, limited to those categories.

13    Furthermore, s 31A(3) makes it clear that a proceeding need not be hopeless or bound to fail for it to have no reasonable prospects of success. It follows that s 31A sets a lower threshold than the previous test for summary dismissal which required that the claim be “manifestly groundless” or “hopeless”: Spencer at [52]–[56] (Hayne, Crennan, Kiefel and Bell JJ). Nonetheless, the discretion must be exercised with caution (Spencer at [24] (French CJ and Gummow J) and [60] (Hayne, Crennan, Kiefel and Bell JJ)). The same caution should be exercised when considering whether an application for joinder should be dismissed on the basis that the proposed action would have no reasonable prospects of success.

14    For the reasons given below, the pleadings against the proposed respondents in the proposed amended originating application and statement of claim would not survive an application for summary judgment, as they have no reasonable prospects of success, and therefore the application for joinder must be refused.

2.2    Principles governing the discretion to grant leave to amend and to file a statement of claim

15    Rule 8.21 confers a discretion on the Court to grant leave to amend an originating application: Tamaya Resources Ltd (In Liq) v Deloitte Touche Tohmatsu (A Firm) [2016] FCAFC 2; (2016) 332 ALR 199 at [122] (Gilmour, Perram and Beach JJ) (Tamaya Resources (FCAFC)). The rule relevantly provides:

(1)    An applicant may apply to the Court for leave to amend an originating application for any reason, including:

(g)    to add or substitute a new claim for relief, or a new foundation in law for a claim for relief, that arises:

(i)    out of the same facts or substantially the same facts as those already pleaded to support an existing claim for relief by the applicant; or

(ii)    in whole or in part, out of facts or matters that have occurred or arisen since the start of the proceeding.

16    I summarised the relevant principles governing an application for leave to amend in DOQ17 (No 1) at [26] as follows:

Leave to amend would ordinarily be exercised in favour of an amendment if facts already pleaded gave rise to an additional cause of action: Tameeka Group Pty Ltd v Landan Pty Ltd (No 2) [2016] FCA 480 (Markovic J). However, leave will generally be refused where the amendment would be futile, such as where it fails to disclose a reasonable cause of action or seeks to raise a case that is misconceived in point of law, where the amendment is embarrassing, or where the amendment is otherwise liable to be struck out: Research in Motion [v Samsung Electronics Australia Pty Limited [2009] FCA 320] at [23] (Kenny J); Allstate Life Insurance Company v Australia and New Zealand Banking Group Ltd (1995) 58 FCR 26 at 36 (Lindgren J (with whose reasons Lockhart and Tamberlin JJ agreed)); SZSRR v Minister for Immigration and Border Protection [2017] FCA 328 at [48] (Gleeson J). In determining whether the amendment would be liable to be struck out, relevant principles include the following.

(1)    In determining whether to strike out a pleading, the central function of pleadings must be borne squarely in mind, namely, to state with sufficient clarity the case to be met so as to ensure as a matter of procedural fairness that a party has the opportunity of meeting the case against it: see also Australian Parking and Revenue Control Pty Ltd v Reino International Pty Ltd [2016] FCA 744 (Australian Parking (No. 1)) at [19(1)] (Perry J).

(2)    While a respondent has no absolute right to insist that an applicant plead every material fact necessary to demonstrate a complete cause of action, all of the material facts necessary to formulate a complete cause of action should in general be pleaded such that the respondent understands the case to be met: r 16.02(2) of the FCR; Young Investments Group Pty Ltd v Mann [2012] FCAFC 107; (2012) 293 ALR 537 (Young Investments Group) at [7] (the Court).

(3)    A pleading which simply pleads a conclusion from unstated facts is embarrassing and is liable to be struck out: Trade Practices Commission v David Jones (Australia) Pty Ltd (1985) 7 FCR 109 at 114-5 (Fisher J); Young Investments Group at [7]. A pleading is also embarrassing where it is unintelligible, ambiguous, vague or too general, so as to embarrass the opposite party who does not know what is alleged against her or him: Priest v New South Wales [2006] NSWSC 12 at [34] (Johnson J).

(Emphasis omitted.)

17    Furthermore, the Court must exercise its discretion to grant leave to amend in accordance with the overarching purpose in s 37M of the FCA Act: Tamaya Resources Limited (in liq) v Deloitte Touche Tohmatsu (A Firm), in the matter of Tamaya Resources Limited (in liq) [2015] FCA 1098 (Tamaya Resources (FCA)) at [125] (Gleeson J) (affirmed in Tamaya Resources Limited (in liq) v Deliotte Touche Tohmatsu (A firm) [2016] FCAFC 2 at [122]); and DOQ17 at [27]. Section 37M relevantly provides:

(1)    The overarching purpose of the civil practice and procedure provisions is to facilitate the just resolution of disputes:

(a)    according to law; and

(b)    as quickly, inexpensively and efficiently as possible.

(2)    Without limiting the generality of subsection (1), the overarching purpose includes the following objectives:

(a)    the just determination of all proceedings before the Court;

(b)    the efficient use of the judicial and administrative resources available for the purposes of the Court;

(c)    the efficient disposal of the Court’s overall caseload;

(d)    the disposal of all proceedings in a timely manner;

(e)    the resolution of disputes at a cost that is proportionate to the importance and complexity of the matters in dispute.

18    Clearly granting leave to amend where there was no reasonable prospect that the pleading could succeed would not serve these objects.

3.    THE APPLICATION FOR LEAVE TO AMEND AND TO FILE AN AMENDED ORIGINATING APPLICATION

19    Under the heading “Details of Claim” in his proposed amended originating application, the applicant seeks (among other things) orders for damages pursuant to the following alleged causes of action from the respondents:

(1)    s 25, s 25A and s 93 of the Privacy Act 1988 (Cth) (proposed order 4);

(2)    s 1324(10) of the Corporations Act 2001 (Cth)(proposed order 5).

(3)    Pt 2 and Pt 3 of the Civil Liability Act 2002 (proposed order 6);

(4)    Sch 2, Part VI, s 4K, s 13 and s 82 of the Competition and Consumer Act 2010 (Cth)” (proposed order 7); and

(5)    Common Law Principle of Negligence and Common-Law Breach of Confidence (proposed order 8).

20    The quantum of compensation sought from the Respondents” is “for injury in the amount of $250,000.00” and “for non-economical loss of $750,000.00 (proposed order 9).

21    As I explain below by reference to each of these proposed causes of action, the applicant has failed to articulate an arguable claim that would entitle him to any of these forms of relief or to the general claims for damages and/or compensation on an unidentified basis in proposed order 1. The proposed statement of claim is also confusing, lacks sufficient clarity, and is legally flawed.

3.1    The alleged claims in negligence and under the Civil Liability Act 2002 (NSW)

22    As the respondent and prospective respondents submit, it is well-established that mere exposure to a risk that damage might be suffered in the future does not itself constitute damage for the purposes of the law of negligence. As for example, Giles JA (Santow J and Foster AJA agreeing) held in Wilson v Rigg (2002) 36 MVR 451; [2002] NSWCA 246 at [23] “[t]here must be actual damage, as distinct from the risk or prospect of damage or contingent damage…, and the damage must be measurable or beyond what can be regarded as negligible…”. In other words, [d]amage is the gist of the cause of action in negligence”: Brookfield Multiplex Ltd v Owners Corporation Strata Plan 61288 (2014) 254 CLR 185 at [124] (Crennan, Bell and Keane JJ). As the proposed second respondent submitted:

This means that no claim in negligence can succeed unless an applicant has shown that they have suffered actual damage: Alcan Gove Pty Ltd v Zabic (2015) 257 CLR 1 at [8] (French CJ, Kiefel, Bell, Keane and Nettle JJ). The authorities are clear that mere exposure to a risk that loss or damage might be suffered in the future does not itself amount to the suffering of actual loss or damage: Alcan Gove (2015) 257 CLR 1 at [37] (French CJ, Kiefel, Bell, Keane and Nettle JJ). See, also, C Sappiden et al (eds), Fleming’s The Law of Torts (11th ed, Lawbook Co, 2024) at [9.10].

(Emphasis added.)

23    The proposed amended pleadings, however, do not plead any actual loss or damage which the applicant says he has suffered as a result of the respondent’s or the proposed respondents alleged breaches of duty. The applicant’s case, as pleaded in the proposed statement of claim, rises no higher than the allegation that personal data relating to him has been made available to third parties who may engage in fraud or identity theft. He does not allege that any of those risks have materialised such that he has suffered actual loss or damage.

24    The bare assertion at paragraph 53 that:

By reason of:

(a)     breach of Statutory and Nondelegable Duty and/or Duty of Care and Liability and/or Vicarious Liability; [or]

(b)    breach of Contractual Obligations

by the Respondents alleged above, the Applicant has suffered loss and damage of the kind referred to in paragraph 42-46

plainly does not remedy the difficulty. To the contrary, the pleading expressly refers back to the earlier pleadings of a risk of loss or damage. It follows that the applicant’s negligence claims against the respondent and the prospective respondents are untenable in that they cannot possibly succeed.

25    With respect to order six of the proposed amended originating application seeking damages under Parts 2 and 3 of the Civil Liability Act 2002 (NSW):

(1)    Part 2 “applies to and in respect of an award of personal injury damages (s 11A(1)); and

(2)    Part 3 applies to any claim for damages for mental harm resulting from negligence” (s 28(1)).

26    However no allegation is made by the applicant in the proposed statement of claim that he has suffered either personal injury or mental harm. It follows that these Parts of the Civil Liability Act are irrelevant.

27    In those circumstances, it is not necessary to address in any detail the other manifest deficiencies in the proposed pleadings in negligence. It suffices to observe that these include a failure by the applicant to articulate the factual basis on which it is alleged that the respondent and prospective respondents owed him a duty of care in respect of his personal data or breached that duty. Rather, as the proposed second respondent submits, the proposed statement of claim advances conclusory statements which fail to identify the material facts necessary to establish those conclusions.

28    For example, at paragraph 38 of the proposed statement of claim, the applicant alleges that:

The Respondents jointly and severally failed their duty and/or duty of care and liability and/or vicarious liability threefold:

(a)    Firstly, the Respondents failed to prevent the cyberattack.

(b)    Secondly, the Respondents failed to detect the cyberattack in a timely manner.

(c)    Thirdly, the Respondents failed to stop the attack.

29    With respect to this example, Mr Williams SC, counsel for the prospective second respondent, rightly submitted that the pleading was conclusory in the sense that it pleaded what had happened and alleged that it had occurred because of the negligence. The applicant’s pleading is also of an absolute or strict duty, and not of a duty to take reasonable care and is therefore also deficient on this ground: see, eg, Sydney Water Corporation v Turano [2009] HCA 42; (2009) 239 CLR 51 at [48]. Rather, as Mr Williams submitted,“[w]hat a pleading would need to do to meet the requirements of the tort of negligence is to allege what a reasonably careful – in [DXC’s case] – IT contractor would have done and what [DXC], in fact, did, and therefore, what [DXC] did failed to meet the standard of care which a reasonably careful IT contractor would have taken to the relevant situation” (T16.4517.2).

3.2    The alleged claims in contract

30    The applicant alleges at paragraph 2.4 of his proposed statement of claim that the respondent, LFA Holdings, has an “Implied Contract” with the applicant to provide a credit card with a line of credit in return for various fees and interest. The Latitude entities accept that the applicant’s credit card was issued to him by LFA and that LFA is a subsidiary of the respondent (as alleged in the proposed statement of claim at [1.2], [2.2] and [8.3]) (Latitude entities’ submissions at [13]). However, as the Latitude entities allege, they are separate legal entities. The applicant has failed to identify any facts in support of the alleged implied contract. It follows that no arguable contractual claim has been articulated against the respondent.

31    With respect to LFA, as I have mentioned the Latitude entities admit that LFA was a party to a credit card contract with the applicant: see the Godfree affidavit at [12(c)]. Paragraph 20 of the proposed statement of claim appears to allege that by reason of their relationship as parties to a contract, LFA was under an obligation “to not cause harm to the Applicant”. While paragraph 21 of the proposed statement of claim suggests that this was an express contractual term, the applicant has not identified any contractual document or other communication in which an obligation in those terms was agreed. As such, the proposed statement of claim is vague and fails to identify any arguable contractual claim against LFA.

3.3    The alleged claims under the Privacy Act 1988 (Cth)

32    As earlier explained, by the proposed amended originating application, the applicant also seeks [a]n order pursuant to s 25, s 25A and s 93 of the Privacy Act 1988 (Cth), [that] the Respondents pay damages to the Applicant”: proposed order 4. This claim is misconceived.

33    First, ss 25 and 25A are found in Part IIIA of the Privacy Act 1988 (Cth) dealing with the privacy of information relating to credit reporting. Compensation orders can be made against an entity under ss 25 and 25A only where, either:

(1)    a civil penalty order under s 82(3) of the Regulatory Powers Act has been made against the entity for a contravention of a civil penalty provision in Part IIIA of the Privacy Act; or

(2)    the entity is guilty of an offence against that Part IIIA of the Privacy Act;

and the loss or damage, or likely loss or damage, resulted from the contravention or commission of the offence.

34    However, there is no allegation in the proposed statement of claim that any of those statutory criteria are met. Furthermore the applicant has no capacity to bring a claim for a civil penalty order. That power is vested solely in the Information Commissioner: see 80U(2), Privacy Act.

35    Secondly, s 93 is located in Part VIII of the Privacy Act and provides for the recovery of damages from a person (a confidant) who is subject to an obligation of confidence to another person (a confider) with respect to personal information. However, s 89 relevantly provides that:

… a reference in this Part to an obligation of confidence is a reference to an obligation of confidence:

(a)    to which an agency or a Commonwealth officer is subject, however the obligation arose; or

(b)    that arises under or by virtue of the law in force in the Australian Capital Territory; or

(c)    that arises under or by virtue of a law in force in an external Territory.

36    As such, Part VIII creates an entitlement to damages which is predicated upon the existence of an obligation of confidence which is enforceable through the courts. As the Full Court held in Austen v Civil Aviation Authority (1994) 50 FCR 272 at 2778:

Although s 93 of the Privacy Act provides for a confider to recover damages from a confidant in respect of a breach of an obligation of confidence with respect to personal information, s 90 limits the operation of Part VIII (in which s 93 appears) to obligations of confidence in respect of a breach of which relief may be obtained in legal proceedings …

It would appear that a deliberate decision was made by Parliament not to give a right of action in tort for breach of a privacy principle: see The Law Reform Commission Report No 22, Vol 2, para 1085 and ss 105-110 in the draft Bill forming Appendix A to that volume which, so far as is relevant, is in substantially identical terms to ss 89-94 of the Privacy Act as enacted; also the Explanatory Memorandum for the Privacy Bill paragraphs 201, 203 and 205. Instead the provisions of Part VIII of the Privacy Act can be seen as extending the remedies available in equity for breach of an obligation of confidence.

(Emphasis added.)

37    There is no allegation in the proposed statement of claim that the respondent/proposed respondents:

(1)    were subject to such an obligation of confidence to the applicant;

(2)    are “an agency or a Commonwealth officer”; or

(3)     that any law in force in the jurisdictions referred to in subs (b) and (c) is engaged.

38    As such, no arguable claim is made for damages under this provision.

39    Thirdly, at paragraphs 22 and 24 of the proposed statement of claim, the applicant appears to contend that the DXC breached an obligation to protect his “personal informationwhich was allegedly owed to him under Australian Privacy Principle 11 (APP 11, Schedule 1, Privacy Act). In addition, at paragraph 52, in a general pleading not expressly directed to any particular respondent/proposed respondent, the applicant alleges that the Cause of Action relies relevantly upon “Tort of Privacy Breach per APP 11 of the Privacy Act”. The short answer to this, as DXC submits, is that the mechanism for redress for an interference with the privacy of an individual in breach of the Privacy Act is by way of a complaint under s 36 to the Information Commissioner in accordance with Part V: see, eg, DOQ17 v Australian Financial Security Authority (No 3) [2019] FCA 1488 (DOQ17 (No 3)) at [153] (Perry J). If the complaint is upheld, s 52(1)(b) of the Privacy Act confers power on the Commissioner to make various declarations including that the complainant is entitled to a specified amount of compensation. This, in turn, may be enforced under s 55A of the Privacy Act where the court is satisfied that the respondent has engaged in an interference with the complainant’s privacy.

40    As such, the Privacy Act does not make provision for a breach of an Australian Privacy Principle to be directly actionable in this Court: DOQ17 (No 3) at [152] and [153] approving Day v Lynn [2003] FCA 879 at [50] (Stone J). There is no allegation that there has been any such determination made by the Information Commissioner in this case and no application for enforcement of any such determination is made in this proceeding. It follows that this claim is also untenable.

3.4    The alleged claims under the Corporations Act 2001 (Cth)

41    Nor has any arguable claim that the respondent and prospective respondents pay damages to the applicant under s 1324(10) of the Corporations Act 2001 (Cth) has been pleaded. Section 1324(10) provides that:

Where the Court has power under this section to grant an injunction restraining a person from engaging in particular conduct, or requiring a person to do a particular act or thing, the Court may, either in addition to or in substitution for the grant of the injunction, order that person to pay damages to any other person.

42    Section 1324 of the Corporations Act relevantly reads:

(1)     Where a person has engaged, is engaging or is proposing to engage in conduct that constituted, constitutes or would constitute:

(a)     a contravention of this Act; or

(b)     attempting to contravene this Act; or

(c)    aiding, abetting, counselling or procuring a person to contravene this Act; or

(d)     inducing or attempting to induce, whether by threats, promises or otherwise, a person to contravene this Act; or

(e)     being in any way, directly or indirectly, knowingly concerned in, or party to, the contravention by a person of this Act; or

(f)     conspiring with others to contravene this Act;

the Court may, on the application of ASIC, or of a person whose interests have been, are or would be affected by the conduct, grant an injunction, on such terms as the Court thinks appropriate, restraining the first - mentioned person from engaging in the conduct and, if in the opinion of the Court it is desirable to do so, requiring that person to do any act or thing.

(2)     Where a person has refused or failed, is refusing or failing, or is proposing to refuse or fail, to do an act or thing that the person is required by this Act to do, the Court may, on the application of:

(a)     ASIC; or

(b)     any person whose interests have been, are or would be affected by the refusal or failure to do that act or thing;

grant an injunction, on such terms as the Court thinks appropriate, requiring the first - mentioned person to do that act or thing.

43    It follows that the power to award damages under s 1324(10) is available only in substitution for, or supplementation of, an injunction: McCracken v Phoenix Constructions (Qld) Pty Ltd [2012] QCA 129; [2013] 2 Qd R 27 at [30] (Fraser JA (with whose reasons White JA and Applegarth J agreed at [65] and [66] respectively)). However the proposed statement of claim does not identify any conduct which is said to enliven the court’s power to grant an injunction under s 1324, let alone identify how the applicant’s interests have been, or would be, affected by the act or conduct in question. There is no pleading, in other words, by the applicant that the respondent/proposed respondents have contravened, or are likely to contravene, any provision of the Corporations Act.

44    In his written submissions, the applicant submits that “s 167A of the Corporations Act … imposes obligations on DXC and CrowdStrike” (Applicant’s Submissions (AS) at [17]) and that the “[f]ailure to have adequate risk management of Cyber Security and Cyber Resilience to manage cyberattack and hacking attempts and to detect, prevent and stop cyberattacks contravenes the Corporations Act” (AS at [18]). Mr Saffari also appears to rely, in relation to the second of these propositions on the decision in ASIC v RI Advice Group Pty Ltd [2022] FCA 496 at [57] and [62] (Rofe J).

45    However, 167A of the Corporations Act deals with the application of Pt 2C.1 of the Corporations Act, which concerns the requirements for setting up and maintaining company registers. Its relevance to any claims that the applicant seeks to make is completely obscure.

46    The applicant’s broader contention that a company’s inadequate risk management of cybersecurity may contravene the Corporations Act provides no support for his claimed entitlement to damages under s 1324(10). The passages on which the applicant relies in RI Advice at paragraphs 57 (in which Rofe J explained what is meant by cybersecurity and cyber resilience) and 62 (where her Honour refers to RI Advice’s admission as to the inadequacy of its documentation, controls and risk management systems) concerned agreed contraventions by a defendant of s 912A of the Corporations Act based on an agreed statement of facts: RI Advice at [8][10]. They have no apparent application here.

47    The highest that the claim in the present case rises is the applicant’s manifestly conclusory statement that LSA failed to manage cybersecurity risk as imposed on Australian Financial Services Licence holders (within the meaning of s 912A of the Corporations Act) across its call centres and failed to respond appropriately to the cybersecurity incident (in contravention of (ss 912A(1)(b), (c), (d), (f), (h), (i) and (5A) of the Corporations Act): AS at [24]. That allegation is not found in the proposed statement of claim and no clear basis for any such allegation has been articulated.

3.5    The alleged claims under the Competition and Consumer Act 2010 (Cth)

48    The proposed originating application seeks an order for damages pursuant toSch 2, Part VI, s 4K, s 13 and s 82 of the Competition and Consumer Act 2010 (Cth)” (order 7). This claim is also misconceived. (I note that the Australian Consumer Law (ACL) is set out in Sch 2 to the Competition and Consumer Act 2010 (Cth) (CCA). I have also assumed that, while the proposed pleading appears to cite only provisions contained in Sch 2 to the CCA, the references to ss 4K and 82 are apparently intended to refer to these provisions in the CCA itself, which concern damages.)

49    First, s 4K of the CCA and 13 of the ACL are definition provisions and do not create causes of action.

50    Secondly, s 82 of the CCA creates an action for damages for contravention of specified provisions of the CCA. However, neither the Latitude entities nor any other prospective respondent is alleged to have breached any of those provisions.

51    Thirdly, paragraph 21 of the proposed statement of claim alleges that the Latitude entities lacked due diligence and were negligent in their security before the hack… and breached their Express Contractual obligations by failing to reasonably foresee the loss or damage the Applicant would suffer as a result of such failure per Part 3-2 Division 1 and ss 54, 60, 259, 259(4), 267 and 267(4) of the ACL. The pleading is incomprehensible and the alleged relevance of the provisions cited is obscure.

52    Taking each of these provisions in turn, ss 54 and 259 of the ACL concern supply of goods. However, no allegation is made against the Latitude entities (or any other prospective respondent) that any goods supplied by them were not of acceptable quality.

53    Section 60 of the ACL provides for a guarantee that services supplied to a consumer in trade or commerce will be rendered with due care and skill. The applicant does not clearly articulate how he says that the Latitude entities are said to have breached that guarantee. Nor does the proposed statement of claim identify what services were allegedly rendered to the applicant by the Latitude entities or any other proposed respondent.

54    Critically, however, even if an arguable breach of the consumer guarantee in s 60 had been pleaded, in the absence of any identified loss or damage, the breach would not confer an entitlement to claim damages under s 267(4) of the ACL. This is because the section confers an entitlement to recover damages only for any loss or damage suffered by the consumer because of the failure to comply with the guarantee which was a reasonably foreseeable consequence of that failure (emphasis added). Thus, in common with a claim in negligence, loss or damage is the “gist” (i.e. an essential element) of a claim for damages under s 267(4) of the ACL. As Mason CJ, Dawson, Gaudron and McHugh JJ held in Wardley Australia Limited v The State of Western Australia (1992) 175 CLR 514 at 525 with respect to the predecessor provision in the Trade Practices Act which was relevantly in the same terms, the cause of action does not accrue until actual loss or damage is sustained (emphasis added). Potential or even likely damage is not sufficient: Sellars v Adelaide Petroleum NL (1994) 179 CLR 332 at 348 (Mason CJ, Dawson, Toohey and Gaudron JJ). As I have earlier held, the applicant’s case is that he seeks damages for the future risk that he might suffer loss or damage. The applicant does not allege that he has suffered any actual loss or damage. In those circumstances, this claim is also untenable.

3.6    Other deficiencies in the proposed pleadings

55    It is apparent from the deficiencies in the pleadings which I have outlined above that on no view does the applicant’s case have any reasonable prospects of success. Accordingly, the applications to amend the originating application and to file the proposed statement of claim must be refused. The proposed pleadings also suffer from numerous other deficiencies, as the respondent and prospective respondents pointed out in their submissions. It suffices to mention just two in the proposed statement of claim which were conveniently summarised in written submissions for DXC:

First, contrary to r 16.02(1)(a) of the Federal Court Rules, many paragraphs contain “rolled up” allegations – that is numerous separate allegations that are included within one sentence or paragraph. For example, at paragraph 18 no distinction is drawn between the proposed respondents who are all said to have “failed in their responsibilities to keep the Applicant’s personal information secure”.

Secondly, the Proposed Statement of Claim contains various confusing statements the relevance of which to Mr Saffari’s claims is unclear. For example, at paragraphs 23 and 24, Mr Saffari refers to DXC’s “vicarious liability” without identifying the person for whose conduct it is alleged DXC is vicariously liable. Similarly, at paragraph 24, Mr Saffari asserts that ss 5B and 5C of the Civil Liability Act are relevant to his claim against DXC without any explanation how those provisions are relevant. Further, at paragraph 52(ii), Mr Saffari refers to a “Tort of Privacy Breach per APP 11” despite the fact that the Privacy Act does not create such a tort.

4.    THE APPLICATION FOR JOINDER SHOULD BE REFUSED

56    Applying the principles with respect to joinder outlined above, the application for joinder of the proposed respondents must be refused with costs on the basis that no reasonable cause of action is pleaded against any of the proposed respondents.

5.    THE APPLICATION FOR DEFAULT JUDGMENT

57    As earlier mentioned, the respondent and proposed fourth respondent also seek orders dismissing the proceedings under rule 5.23(1)(b) of the FCR on the ground that the applicant has been in default for the purposes of rule 5.22(a) given that he has failed to “do an act required to be done, or do an act in the time required, by these Rules, namely, to file a statement of claim or concise statement. Specifically, rule 8.05(1) provides that:

(1)    An originating application seeking relief that includes damages must be accompanied by:

(a)    unless paragraph (b) or (c) applies—a statement of claim; or

(b)    if a practice note issued by the Chief Justice requires the originating application to be accompanied by an alternative accompanying document—the alternative accompanying document; or

(c)    if a practice note issued by the Chief Justice permits the originating application to be accompanied by an alternative accompanying document—the alternative accompanying document or a statement of claim.

58    The note to rule 8.05(1)(2) provides that:

Note 1:    A practice note issued by the Chief Justice may require or permit an alternative accompanying document to accompany an originating application by:

(a)    expressly requiring or permitting the alternative accompanying document to accompany the originating application; or

(b)    referring to another document that requires or permits the alternative accompanying document to accompany the originating application.

59    The power to dismiss proceedings under rule 5.23(1)(b) is discretionary and must also be exercised having regard to the overarching purpose articulated in s 37M of the FCA Act, which I have earlier set out.

60    It is not in issue that the originating application seeks damages and that no statement of claim (or concise statement) was filed with the originating application or has been subsequently filed. In this regard, at the first case management hearing on 10 August 2023, I explained the importance of filing the statement of claim and what it should address as follows:

what the respondent is proposing is, of course – that would follow the normal progress of a matter in the court, and that is asking you to file and serve a statement of claim. Now, a statement of claim is something that needs to set out all of your – with specificity, all of the factual elements of your claim, so that the other side have fair notice of what – why you say they’re liable for the damages you claim and the other relief.

But the point of it – the point of a statement of claim is for you now to put some flesh on the bones of the allegations that you make in your originating application and to provide, to the extent you possibly can, very specific details of each element – factual element of your claim, so the other side know what it is that they need to answer. So that’s the first thing that I think does need to happen

61    The applicant contends that he has attempted to file a statement of claim. However, that the statement of claim was not accepted for filing in circumstances where it named as respondents, and pleaded allegations against, entities which were not parties. Those attempts also occurred in circumstances where the fundamental problems with the applicant’s claim against the respondent have been explained clearly to him in correspondence from the respondents solicitors on no fewer than four occasions, as I have earlier held, which were not remedied by the proposed pleadings. Further, the open letter of 8 February 2024 from the respondent’s solicitors to the applicant sought his agreement to discontinue the proceedings with no order as to costs and unequivocally stated that the respondent would apply to have the proceedings summarily dismissed if he did not do so.

62    However, rather than addressing the legitimate difficulties raised by the respondent in its correspondence, the applicant has proposed now three different versions of the statement of claim, none of which has even identified any actual loss or damage despite claiming a substantial amount in compensation. The applicant has also sought to join three new respondents. Moreover, there have already been three case management hearings in the proceeding with associated costs for the respondent and utilisation of the resources of this Court but no progress in terms of the applicant addressing the problems with his claims.

63    I agree with the respondent’s submission that in all of these circumstances, the applicants default “has placed a disproportionate burden on the resources of this Court and those of [the respondent] and the prospective respondents.” I therefore agree that to allow yet another opportunity to the applicant to seek to articulate an arguable cause of action would not be consistent with the overarching purpose in s 37M of the FCA Act.

6.    CONCLUSION

64    For these reasons, the applicants interlocutory application must be refused and the proceeding should be dismissed. The applicant is to pay the costs of the respondent and prospective respondents as agreed or taxed.

I certify that the preceding sixty-four (64) numbered paragraphs are a true copy of the Reasons for Judgment of the Honourable Justice Perry.

Associate:

Dated:    4 June 2024

Top