Federal Court of Australia

Gao v Australian Information Commissioner [2026] FCA 24

ORDERS

THE COURT NOTES THAT:

A. The respondent is requested to provide a copy of the Court’s reasons for judgment dated today to Lumo Energy Australia Pty Ltd and to draw its attention to [89].

THE COURT ORDERS THAT:

1. The applicant’s interlocutory application dated 4 June 2024 be dismissed.

2. The applicant’s interlocutory application dated 6 June 2025 be dismissed.

3. The applicant’s interlocutory application dated 24 June 2025 be dismissed.

4. The originating application for judicial review dated 5 July 2023 be dismissed.

5. Subject to paragraph 6:

(a) The applicant pay the respondent’s costs of the proceeding (including the costs of the three interlocutory applications), to be determined on a lump sum basis.

(b) By 4.00 pm on 13 February 2026, the parties file any agreed proposed minute of orders fixing a lump sum in relation to the respondent’s costs of the proceeding.

(c) In the absence of agreement:

(i) By 4.00 pm on 27 February 2026, the respondent file and serve a Costs Summary in accordance with paragraphs 4.10 to 4.12 of the Court’s Costs Practice Note (GPN-COSTS) (Practice Note).

(ii) By 4.00 pm on 13 March 2026, the applicant file and serve a Costs Response in accordance with paragraphs 4.13 and 4.14 of the Practice Note.

(iii) By 4.00 pm on 20 March 2026, the parties file and serve any short submissions on costs in accordance with paragraph 4.15 of the Practice Note.

(iv) The amount of the lump sum of the respondent’s costs of the proceeding be determined by a Registrar of the Court.

6. If the applicant seeks a different costs order, he may within 14 days file and serve a written submission on costs.  In that event, the respondent may within a further 14 days file and serve a responding written submission, and the issue of costs will be determined on the papers.

Note:    Entry of orders is dealt with in Rule 39.32 of the Federal Court Rules 2011.

REASONS FOR JUDGMENT

MOSHINSKY J:

Introduction

1 On 9 May 2022, the applicant, Mr Peng Gao, lodged a complaint (the Complaint) with the respondent, the Australian Information Commissioner (the AIC), under s 36(1) of the Privacy Act 1988 (Cth) about certain alleged acts or practices of Lumo Energy Australia Pty Ltd (Lumo) (an electricity provider) and illion Australia Pty Ltd (illion) (a credit reporting body) that he considered to be an interference with his privacy within the meaning of the Privacy Act.  The Complaint related to an inquiry made by the applicant to Lumo in November 2021 about transferring his electricity account to Lumo.  Lumo contacted illion to obtain a credit assessment in relation to the applicant.  Ultimately, the transfer did not proceed.  The applicant’s concerns relate to the way in which Lumo and illion allegedly collected and handled his personal information.

2 By letter dated 25 May 2023 (the May 2023 Letter), a delegate of the AIC notified the applicant that she had conducted preliminary inquiries into the allegations and, subject to any comments or submissions the applicant may make, intended to decide (pursuant to s 41(1) of the Privacy Act) not to investigate the Complaint.  Section 41(1) relevantly provides that the AIC may decide not to investigate, or not to investigate further, an act or practice about which a complaint has been made under s 36 if the AIC is satisfied that the act or practice is not an interference with the privacy of an individual.  The delegate invited the applicant to make any further comments by 8 June 2023.

3 On 27 May 2023, the applicant provided additional comments and documents.  On 8 June 2023, the applicant requested that the Complaint be referred to the investigation team and provided various documents.

4 By letter dated 15 June 2023 (the June 2023 Letter), another delegate of the AIC notified the applicant that she had considered the applicant’s additional comments and documents and had decided (pursuant to s 41(1) of the Privacy Act) not to investigate the Complaint any further (the Decision).  For the reasons set out in the letter, the delegate considered that the acts or practices complained about were not an interference with the applicant’s privacy within the meaning of the Privacy Act.

5 On 14 July 2023, the applicant lodged with the Court an originating application for judicial review dated 5 July 2023 (the originating application).  The respondent to the proceeding as commenced was the “Office of the Australian Information Commissioner”.  By order of a Registrar dated 22 May 2024, the title of the proceeding was amended to record the respondent as “Australian Information Commissioner”.  However, as discussed below, the applicant contends that the description of the respondent as the “Office of the Australian Information Commissioner” should be reinstated.

6 There was an issue as to whether the originating application was filed one day out of time.  On 22 September 2025, I made an order that (if and to the extent necessary) the time for the applicant to file the originating application be extended nunc pro tunc to 14 July 2023.

7 By the originating application, the applicant seeks judicial review of the Decision pursuant to the Administrative Decisions (Judicial Review) Act 1977 (Cth) (the ADJR Act). The originating application does not identify any grounds of review.  However, in his affidavit material and submissions the applicant makes a number of contentions.  In particular, the applicant contends that the AIC made errors of law and/or adopted a wrong approach in forming the view that the acts or practices about which the applicant had complained were not an interference with the applicant’s privacy within the meaning of the Privacy Act.

8 The orders sought in the originating application are directed at illion and Lumo despite the fact that they were not respondents to the proceeding as commenced.  The orders sought are:

1.    illion Australia Pty Ltd … must destroy or de-identify

(1)    complainant credit reporting account established on 12 Nov 2021, and

(2)    all communication emails, attachments, identification information produced by complainant & Lumo Australia Pty Ltd to illion Australia Pty Ltd

2.    Lumo Australia Pty Ltd … must destroy or de-identify

(1)    communication [audio] recorded

(2)    all communication emails, attachments & identification information provided to Lumo Australia Pty Ltd

3.    Any other orders that the Court may deem to be fit.

9 The AIC does not actively oppose the relief sought in the originating application.  However, as there is no active contradictor in this proceeding, the AIC considered it appropriate to assist the Court by explaining the basis of the decision under review and identifying the relevant legal principles applicable to the grounds of review raised by the applicant.

10 The applicant has filed three interlocutory applications (dated 4 June 2024, 6 June 2025 and 24 June 2025). There is substantial overlap between the three interlocutory applications.  In substance, all three interlocutory applications seek the joinder of illion and Lumo as respondents to the proceeding.  Further, the second and third interlocutory applications seek relief against illion and Lumo that is similar to the relief sought against them in the originating application.

11 The three interlocutory applications were listed for hearing before me on 22 September 2025.  At that hearing, the applicant appeared for himself and a solicitor from Mills Oakley (the firm of solicitors acting for the AIC) appeared on behalf of the AIC.  As I indicated during the hearing, I was having some difficulty in understanding the applicant due to his lack of proficiency in English.  I asked the applicant what his first language is.  He said it was Mandarin, but that he did not need an interpreter and that arranging an interpreter would be a waste of time.  Despite the applicant’s response, I considered that the Court would be assisted by the involvement of an interpreter.  I therefore adjourned the hearing of the three interlocutory applications to a later date.  Further, due to the delay that had occurred in the proceeding, I decided to list the originating application for hearing together with the interlocutory applications (subject to the outcome of the interlocutory applications).  Thus, the three interlocutory applications and the originating application were listed for hearing on 8 October 2025.  Timetabling orders were made for the filing of further written submissions before that hearing.

12 The hearing of the interlocutory applications and the originating application took place on 8 October 2025.  Although an interpreter in Mandarin and English was present, the applicant said that he was no longer familiar with Mandarin, having come to Australia 40 years ago, and made clear that he wanted to present his oral submissions himself in English.  I therefore sent the interpreter away and the hearing proceeded with the applicant making submissions in English.  While I continued to have some difficulty in understanding the applicant, there did not appear to be any practical alternative but to continue.  I also made orders giving the applicant leave to file supplementary written submissions, the AIC leave to file responding written submissions, and the applicant leave to file reply submissions.

13 For the reasons that follow, I have concluded that:

(a) the applicant’s three interlocutory applications should be dismissed; and

(b) the originating application should be dismissed.

The material before the Court

14 The affidavit material before the Court is as follows:

(a) On behalf of the applicant: affidavits of the applicant dated 14 July 2023, 25 January 2024, 20 August 2024 and 28 September 2025.

(b) On behalf of the AIC:

(i) an affidavit of Kate Heremaia (a solicitor employed by Mills Oakley) dated 28 February 2024.  Annexure “KZH1” to the affidavit is a transcript of an audio recording of a telephone conversation between the applicant and Lumo on 12 November 2021; and

(ii) an affidavit of Emma Hubball (a solicitor employed by Mills Oakley) dated 2 October 2025.  This affidavit relates to delegations made by the AIC;

(iii) an affidavit of Alexandra Lean (a solicitor employed by Mills Oakley) dated 7 October 2025.  This is an affidavit of service of certain documents on the applicant; and

(iv) an affidavit of Jami Klisaris (a solicitor employed by Mills Oakley) dated 5 November 2025.

15 In addition, the AIC filed and served a Court Book (CB) of relevant documents (principally email correspondence to or from the AIC in relation to the applicant’s complaint).  (A copy of the CB is also annexed to the affidavit of Ms Heremaia.)  At the request of the Court, the AIC provided the Court with three audio files that are referred to in the CB index and I have treated these as forming part of the material before the Court.

16 The following written submissions have been filed or provided to chambers:

(a) On behalf of the applicant: submissions dated 28 April 2025, 5 September 2025, 10 September 2025, 18 September 2025, 21 September 2025, 6 October 2025, 8 October 2025, 22 October 2025 and 12 November 2025.

(b) On behalf of the AIC: submissions dated 15 September 2025, 2 October 2025 and 5 November 2025.

Background facts

The Complaint

17 The Complaint, which is dated 9 May 2022 (CB 1-6), is poorly expressed.  The following is my attempt to restate the Complaint in plain English, adopting the same numbering as in the Complaint.

(1) The applicant has never been a customer of Lumo and Lumo has never held any credit information about the applicant which it could report to illion or any other credit reporting body.

(2) On 9 November 2021, the applicant’s identity was emailed to Lumo on the sole basis that the applicant was trying to transfer to Lumo as his electricity provider.  The applicant never authorised Lumo to conspiratorially assist or enable illion to directly solicit applicant identification information or to establish an applicant client reference account in illion’s database.

(3) On 12 November 2021, Lumo provided the applicant’s identity to illion:

(a) ostensibly, for the purpose of enquiring about the applicant being primarily liable for a credit obligation; but

(b) in reality, for the purpose of conspiratorially assisting and enabling illion to gain the opportunity to directly solicit and collect the applicant’s personal information and then establish an applicant client reference in illion’s database.

However, illion had never held any history or record in relation to the applicant’s credit eligibility information.  Therefore, illion ought to have been unable to provide information or a recommendation to Lumo (or any other credit provider) about the applicant’s eligibility or capacity to repay a credit amount, and should have advised Lumo that it had never held such information.

(4) The applicant refers to clauses 3.1-3.3 of chapter 3 of the Australian Privacy Principles (APP) in the context of illion receiving unsolicited personal information about the applicant. illion did not have a credit reporting business in relation to the applicant.  Therefore, there was no basis for illion to provide information or a recommendation to Lumo (or another credit provider) about the applicant’s creditworthiness.  Further, there was no legal basis to support illion persistently and directly soliciting personal information from the applicant.

(5) Pursuant to a conspiratorial and premeditated agreement, Lumo assisted illion to gain an opportunity to directly solicit the applicant’s personal information and establish an applicant client reference in illion’s database.

(6) On 19 November 2021, Lumo emailed the applicant stating that:

(a) his “application to transfer [had been] declined” and that the decision was “entirely based on credit eligibility information obtained from illion about you”;

(b) “When writing to them, please provide your full name and address ... they may ask you to provide more information to confirm your identity”.

(c) “You can request access to the credit information we hold about you. ... This includes accessing a copy of your credit eligibility information or correcting the credit eligibility information that we hold about you.”

The purpose of this email was to deceive the applicant into believing that illion had held credit eligibility information about the applicant.

(7) On 22 November 2021, without the applicant’s consent, illion sent three no-reply emails titled: “click to confirm your account”; “Your account has been created”; and “simply click the button below to activate your account”. illion has activated the account despite the applicant taking no steps to do so.

(8) To assist illion in collecting hardcopies of the applicant’s information, on 23 November 2021 Lumo emailed the applicant making the following false representations:

(a) “… we were unable to complete credit check requirements … However, [we’d] be more than happy to set-up a new account for you again ...”;

(b) “we need you to send us a scanned copy of any one of the following document[s] ...”; and

(c) “Your account number is [number omitted]”.

However, these statements were inconsistent with the initial false representations in paragraph (6) above. Further, there was an inconsistency between referring to “[setting] up a new account … again” and providing the account number (which suggested that the account already existed).

(9) On 17 December 2021, illion again emailed the applicant a link to register online for the purpose of directly soliciting hardcopies of his identification information.  There was an inconsistency between this email and the three emails sent on 22 November 2021, which stated that “Your account has been created”.

(10) The applicant never activated the account, but illion confirmed and activated it.

(11) On 22 March 2021, illion emailed a credit report to the applicant.  No credit eligibility information was recorded in the report.  In the category “Enquiries”, only Lumo’s enquiry on 12 November 2021 was recorded.  The credit score [number omitted] was alleged without any credit eligibility information to support it.

(12) In the course of supplying services, illion and Lumo knowingly contravened ss 18(1) and 29(1)(j) of the Australian Consumer Law, being Sch 2 to the Competition and Consumer Act 2010 (Cth) (the Australian Consumer Law) and s 321 of the Crimes Act 1958 (Vic) by conspiratorially making the false representations set out in paragraphs (3)-(11) above.  Further, they directly solicited and collected the identification information by unlawful and unfair means.

(13) The applicant refers to APP 3 (clauses 3.2 and 3.5), APP 4 (clauses 4.1, 4.3 and 4.4), APP 5 (clauses 5.1 and 5.2), and to s 20C(1), (3) and (7), s 20D(1), (3) and (4), ss 20E-20ZA, s 20S(2) and s 20T(1) of the Privacy Act.  During the period 12 November 2021 to 21 November 2021, illion contravened the Privacy Act by knowingly:

(a) not notifying the applicant of the matter referred to in APP 5, clause 5.2, particularly the purpose for which illion was intending to hold the unsolicited credit eligibility information received from Lumo;

(b) failing to destroy or de-identify the unsolicited credit eligibility information.

Further, in the course of directly soliciting the personal information, illion contravened the Privacy Act by knowingly:

(c) not notifying the applicant of the matter referred to in APP 5, clause 5.2, particularly the purpose for which illion was intending to solicit, collect and hold the information;

(d) directly soliciting the credit information by unlawful and unfair means.

(14) illion and Lumo may have engaged in the same kinds of dealings in relation to other members of the public.  The penalty to be applied should reflect this.

(15) illion and Lumo ought to be ordered to destroy or de-identify all applicant identification information and communications between the applicant, illion and Lumo (to whom the applicant would never have proposed transferring electricity services).

Correspondence following the Complaint

18 Following the Complaint, there was correspondence between the Office of the AIC and the applicant and between the Office of the AIC and Lumo.  This correspondence is included in the CB and annexed to the applicant’s affidavit dated 25 January 2024.

19 At the request of the Office of the AIC, the applicant provided copies of relevant emails he received from Lumo and illion.

20 On 17 April 2023, Lumo sent an email to the AIC (CB 41-47) attaching (a) a letter in response to an email Lumo had received from the AIC; and (b) a copy of a Lumo document headed “Credit Reporting Collection Statement – Notifiable Matters for Customers”.  Lumo’s response letter is summarised in the May 2023 Letter (see below).  Lumo’s letter stated (at CB 44) that, in the interests of resolving the matter, Lumo was prepared to agree to the resolution sought by the applicant.  Lumo said that it would take the necessary steps: (a) to de-identify all of the personal information it currently holds about the applicant and (b) to have the credit enquiry that it submitted as part of the account establishment process permanently removed from illion’s records.  Lumo stated that it would await receipt of a response from the Office of the AIC and, if the applicant was agreeable to the proposed resolution, Lumo would take the steps it had outlined and would provide written confirmation.

21 The Lumo document headed “Credit Reporting Collection Statement – Notifiable Matters for Customers” identified illion as one of the credit reporting bodies used by Lumo (CB 45).

22 On 26 April 2023, the investigations officer at the Office of the AIC (being the same person as the delegate who wrote the May 2023 Letter) sent an email to the applicant (annexure 23 to the applicant’s affidavit of 25 January 2024) setting out Lumo’s proposal to resolve the dispute, and requesting that the applicant provide his comments by 3 May 2023.  It seems that the applicant did not consider that the proposal resolved his Complaint.  (There is a statement to this effect in the June 2023 Letter, set out below.)

The May 2023 Letter

23 In the May 2023 Letter (CB 63-69), the AIC’s delegate summarised the Complaint in the following way.  (Notwithstanding the applicant’s submissions to the contrary, I consider the delegate’s summary to be a fair summary of the Complaint.)

You advise that you contacted Lumo on 12 November 2021, to simply enquire about transferring your electricity supply to Lumo but did not agree to become a Lumo customer, authorise Lumo to set up a new account for you, or disclose your personal information to a Credit Reporting Body (CRB). Nonetheless, Lumo proceeded to make a credit enquiry with illion (on 12 November 2021 at 5:31pm) that resulted in illion creating a credit report on its database for you for the first time.

You claim Lumo has interfered with your privacy by:

* failing to notify how it would handle your personal information when you enquired about a new account,

* opening a Lumo account in your name without your consent and

* improperly disclosing your personal information to illion to conduct a credit check without your consent.

You also claim illion has interfered with your privacy by:

* improperly collecting your personal information from Lumo and

* using your personal information to establish a credit report about you.

Further, given that illion never held your personal information prior to Lumo’s interaction with it, you submit there is collusion between Lumo and illion in this matter.

24 The letter then contains a section on “The law”.  It is noted that the Privacy Act includes provisions at Pt IIIA which provide safeguards for the handling of consumer credit reporting information about individuals by credit reporting bodies and credit providers.

25 The letter then has sections headed “Credit Providers” and “Credit Reporting Bodies”, which set out relevant provisions relating to such entities.

26 The next section of the letter is headed “Lumo’s response in this matter”.  I set out that section in full:

In response to your complaint … Lumo states it reviewed your account history and interaction and advises that:

* you contacted Lumo on 12 November 2021 by telephone to set up an electricity account for your residential premises at [details omitted]. During this conversation you informed Lumo that:

* you had been on the Victorian Energy Compare website and

* you wanted to sign up an electricity account with Lumo,

* and enquired about how soon the account could be established.

Lumo informed you that:

* to set up an electricity account you would be required to provide the following personal information - full name, date of birth, mobile contact number, and [driver’s] licence number.

* you initially advised that you did not have your [d]river’s licence details with you but subsequently [you were] able to provide [your] [d]river’s licence number. You also advised that you wanted to add your concession card details on the account.

* Lumo recorded your [driver’s] licence number in its system. It also recorded your concession card details for the purpose of applying your concession entitlement to the account.

* In addition, you provided Lumo with your email address and advised that your preferred billing frequency was quarterly.

* Lumo advised you of the rates for the plan you selected and informed you that to set up an energy account it needed to conduct an external credit check.

* You enquired about the purpose of the credit check. Lumo informed you it was to check your financial behaviour and that it would require your consent to complete a credit check. You agreed to a credit check being performed.

* Lumo informed you that information about its privacy and credit reporting practices, and a Notifiable Matters Statement were available on its website at www.lumoenergy.com.au/privacy[.] [T]his includes information about who it exchanges credit information with, how to access the information and how to make a complaint.

* Lumo then proceeded with the credit check and completed the sign up for the energy account.

* Lumo confirms that you requested an energy account be established in your name and provided explicit informed consent to do so.

* the assertion that you only sought to enquire about an energy account is not supported by your interactions with Lumo or the sequence of events outlined above.

* Lumo conducts its credit assessments with credit reporting bodies, in this case illion, to inform its decision about whether to provide an energy supply agreement to the individual. For this reason, Lumo provided the details it received from you to illion as part of its creditworthiness assessment process.

* Lumo conducted a credit check enquiry with illion only after obtaining your consent to do so, during the phone call. It also informed you that the credit check enquiry result required a referral to a specialist from its internal credit check team and explained that if it required additional information Lumo would contact you to request this detail and continued with the sign-up process.

* Lumo issued a welcome pack dated 12 November 2021 to you, this included a copy of its Notifiable Matters Statement that contains information about how Lumo and its related entities collect, use, hold and disclose credit information about individuals for the purposes of providing its goods and services on credit and to obtain payment for these goods and services (copy attached to its response).

* the credit enquiry result was referred to its credit check team who identified that photographic identification was required to successfully complete the creditworthiness assessment as there was insufficient information with the Credit Reporting Body (illion).

* On 15 November 2021, Lumo’s credit check team sent you an SMS advising that Lumo:

* was unable to verify your identification and requested photographic identification from you,

* that if it did not receive the requested identification the account would be cancelled.

* On 18 November 2021, Lumo sent you a letter advising that your application to transfer to Lumo had been declined; on the basis that you did not meet its customer credit requirements as it was unable to successfully complete a credit check due to not having received the required acceptable identification.

* On 19 November 2021, you sent an email to·Lumo querying the credit decline letter.

* Lumo responded to you on 23 November 2021, advising it required identification documents to complete the credit check and set up an account for you.

In addition, the OAIC [i.e. the Office of the AIC] has subsequently obtained a copy of Lumo’s call recording of its conversation with you on 12 November 2021.

(Emphasis added.)

27 The next section of the May 2023 Letter is headed “Our view”.  The delegate stated that, based on the available information, it was her view that Lumo and illion had not interfered with the applicant’s privacy as defined by the Privacy Act.  The delegate’s reasoning is set out in the next two sections of the letter under the headings “Complaint about Lumo” and “Complaint about illion”. These sections also appear in the June 2023 Letter and are in substantially the same terms in that letter.  They are set out below in the course of discussing that letter.

28 The final section of the letter is headed “Next steps”.  The delegate stated that, based on the available information and pursuant to s 41(1)(a) of the Privacy Act, she intended to decline to investigate the Complaint.  However, before she made a decision, she invited the applicant to provide a response to the letter, any response to be received by 8 June 2023.

Further comments from the applicant

29 As noted above, on 27 May 2023, the applicant provided additional comments and documents (CB 70-80).  On 8 June 2023, the applicant requested that the Complaint be referred to the investigation team and provided various documents (CB 81-102).

The June 2023 Letter

30 In the introductory part of the June 2023 Letter (CB 104-111), the AIC’s delegate (being a different person to the delegate who wrote the May 2023 Letter) referred to the May 2023 Letter and the further comments received from the applicant.  The delegate acknowledged that the applicant was dissatisfied with the view expressed in the May 2023 Letter and wanted another officer at the Office of the AIC to investigate his Complaint.  The delegate stated that she had reviewed the matters carefully and considered the information the applicant had provided, but it had not changed the Office of the AIC’s view.  The delegate made the following introductory statements (some of which respond to matters the applicant had raised):

I am satisfied that illion operates as a credit reporting business within the meaning given in s6P of the Privacy Act. Since Lumo as a credit provider (CP), is a customer of credit reporting body (CRB) illion, it conducts credit check with illion. I accept that illion did not hold credit report for you until Lumo’s credit inquiry on 12 November 2021. However, there is no information before me to support your concerns that Lumo collected your personal information by unlawful or unfair means or colluded with illion to conduct a credit enquiry on the pretext of setting up a utility account that Lumo later cancelled, for illion to establish a credit report for you. You are correct in stating that where an individual who does not have a credit report applies for a household utility service, it can result in a credit report being established for them by a CRB because they applied for an electricity account or switched electricity suppliers.

Given the circumstances described in your complaints, I am satisfied that we have considered the relevant sections in the credit reporting provisions that apply in your matters. You reference several sections including s20C(1), s20C(3), s20C(7), s20D(1), s20D(4) and s21S(2) that we did not consider. However, I am satisfied they are not relevant to the circumstances in your complaints because Lumo was entitled to conduct a credit check and as a CRB, illion was entitled to collect your personal information from Lumo and create a credit report for you since it did not have a credit report for you at the time.

You also consider the OAIC [i.e the Office of the AIC] has ‘protected’ illion by not obtaining its response in your complaint. The Commissioner can exercise her discretion to decline to investigate matters including without contacting a respondent, where she is satisfied on the available information, that there has not been an act or practice by the respondent that is an interference of privacy as defined in the Privacy Act. As an impartial regulator, the OAIC does not act for either party and seeks to always act without bias and in a fair manner.

Notwithstanding our view, in the interests of resolving your complaint further to the OAIC’s early resolution process, Lumo offered to remove the credit enquiry from your illion credit report. However, you did not consider it resolves your Lumo complaint.

(Emphasis added.)

31 The delegate stated that she was therefore “closing these matters on the basis that there has not been an interference with [the applicant’s] privacy” and that she would confirm the reasons for this below (i.e. in the balance of the letter).

32 The next section of the letter is headed “Your Privacy Complaints” and is the same as the summary of the Complaint contained in the May 2023 Letter (set out above).

33 The next three sections of the letter are headed “The law”, “Credit Providers” and “Credit Reporting Bodies”.  These sections are substantially the same as in the May 2023 Letter.

34 Next, the letter contains a section headed “Lumo’s response in this matter”.  This section is the same as the corresponding section in the May 2023, which has been set out above.

35 The delegate then set out her view that, based on the available information, Lumo and illion had not interfered with the applicant’s privacy as defined by the Privacy Act.  The next two sections of the June 2023 Letter contain the following analysis (which is substantially the same as the analysis set out in the May 2023 Letter):

Complaint about Lumo

The definition of a CP [credit provider] in the Privacy Act includes an organisation or small business operator that supplies goods and services where payment is deferred for 7 days or more e.g. a telecommunications carrier, an energy utility or a water utility. I consider Lumo is a CP for the purposes of the Privacy Act.

From the information provided by Lumo, I am satisfied that:

* you did advise your details to set up an account with Lumo and

* Lumo explained in its phone discussion with you on 12 November 2021, about the credit check it will be conducting with an external CRB [credit reporting body] and the purpose for it and obtained your consent at the time.

I consider that you sought to set up a utility account and Lumo had a valid consumer credit related purpose to access your credit file.

Energy companies are entitled under their terms to carry out credit risk assessments for new customers signing up to an electricity or gas market offer. This typically includes checking the individual’s credit history and credit score when they apply for credit, to assess their credit risk based on factors such as:

* What types of credit or loans they have taken out in the past (including any loans or credit cards they still have) and how much they borrowed

* Whether they've made all their regular repayments on time.

If the individual does not have a credit history, it can be harder for a CP to assess the creditworthiness of the individual.

When a CP provides an individual’s personal information to a CRB by entering it into a CRB’s database for a credit check; it will present a match with that name and the CRB will record a file access entry on that credit report. As a customer of illion, Lumo provided your identifying information to illion’s database for a credit check but since illion did not hold your personal information at the time, illion created a new credit report for you based on the personal information Lumo had provided. This is generally how a CRB creates a credit report on an individual. It does not amount to collusion between the parties as you contend.

From the available information, it is my view that there has not been an act or practice by Lumo that is an interference of your privacy under the credit reporting provisions of the Privacy Act.

Complaint about illion

As a credit reporting body, illion, receives information from, and discloses information to, a number of CPs and other authorised parties.

Generally, a credit enquiry is recorded on your credit file when you make a credit application. The enquiry is recorded on your file regardless of whether your application has been approved or rejected.

illion collected your personal information further to a credit request from Lumo about you. Although illion did not have an existing file for you, Lumo’s request initiated illion’s creation of a new credit report for you. Relevantly, the fact that illion did not hold your personal information prior to Lumo’s credit check, is not an issue that is covered by the Privacy Act.

Under s 20F Item 1, a CRB is permitted to disclose information where a CP requests the information for a consumer credit related purpose, such as making a credit enquiry. In this instance, it appears illion had a legitimate request from Lumo for information about you for a consumer credit related purpose, and this satisfies the requirements of the Act. While I appreciate that illion’s system created a new credit report as it did not have a possible match with your name and details, this does not alter the purpose for which illion collected or used/disclosed the information.

Section 20F of the Act limits the disclosure of credit reporting information by CRBs. In this instance as illion did not have a credit report for you at the time of Lumo’s credit enquiry; I consider illion did not disclose credit reporting information about you to Lumo and s 20F of the Act does not apply.

(Emphasis added.)

36 In the final section of the June 2023 Letter, headed “Decision”, the delegate noted that s 41(l)(a) of the Privacy Act gives the AIC the discretion not to investigate a complaint if she is satisfied that the act or practice complained about is not an interference with privacy, as defined in the Privacy Act.  The delegate stated that, for the reasons set out above and in the May 2023 Letter, she was satisfied of the conditions for the exercise of the discretion in s 41(1) and that the discretion was enlivened.  The delegate stated that she had exercised the discretion under s 41(1) of the Privacy Act to decline to investigate the Complaint.

The call recording

37 In the May 2023 Letter, at the end of the passage summarising Lumo’s response (see [26] above), the delegate referred to having obtained a copy of Lumo’s call recording of its conversation with the applicant on 12 November 2021.  Annexure “KZH1” to the affidavit of Ms Heremaia is a transcript of the audio recording of that conversation.  The transcript comprises six pages and includes the following passage.  (“LESR” refers to Lumo Energy’s Sales Representative.)

(Emphasis added.)

38 The materials before the Court include an audio file of the above conversation.  I have listened to the audio file for the part of the conversation set out above and can confirm that, save in one minor respect, the transcript is an accurate record of that part of the conversation.  The one exception is that at 00:03:28 the speaker was the applicant rather than the LESR.

39 In the above passage, Lumo’s representative referred the applicant to Lumo’s “notifiable matter statements”.  As noted above, Lumo provided a copy of such a statement to the AIC’s delegate, and the statement identifies illion as one of the credit reporting bodies used by Lumo.

The interlocutory applications

40 The interlocutory applications seek the following orders:

(a) The first interlocutory application, dated 4 June 2024, seeks the joinder of Lumo and illion as respondents; opposes the change of the name of the respondent from the “Office of the Australian Information Commissioner” to the “Australian Information Commissioner”; seeks to have set aside paragraphs 1 to 4 of the orders made by a Registrar on 22 May 2024; and seeks default judgment against the respondent on the basis of non-compliance with certain procedural orders and failure to defend the proceeding with due diligence.

(b) The second interlocutory application, dated 6 June 2025, seeks (in substance) the joinder of illion and Lumo as respondents and certain forms of relief against illion and Lumo, namely:

(i) that illion destroy or de-identify the applicant’s credit reporting account established on 12 November 2021, and all communications, emails, attachments and identification information produced by the applicant and Lumo to illion;

(ii) that Lumo destroy or de-identify all applicant communications (audio) recorded or held by Lumo, and all communications, emails, attachments and applicant identification information provided to Lumo.

(c) The third interlocutory application, dated 24 June 2025, seeks (in substance) the joinder of illion and Lumo as respondents and relief against illion and Lumo in substantially the same terms as the second interlocutory application.

41 I will deal first with the application to join illion and Lumo as respondents to the proceeding.  In my view, for the reasons that follow, the joinder of those companies as respondents is not appropriate.

42 A decision by a delegate of the AIC not to investigate an act or practice about which a complaint has been made under s 36 of the Privacy Act is reviewable by this Court under the ADJR Act.  The appropriate respondent to an application for judicial review of such as decision is the AIC, being the decision-maker under the Privacy Act.  In circumstances where there has been a decision not to investigate, at least in the circumstances of this case, it does not appear to be necessary to join as respondents the entities which are alleged to have contravened the Privacy Act to a proceeding seeking judicial review of a decision not to investigate a complaint.  It does not appear that their rights or interests are or could be affected by the application for judicial review.  If the application for judicial review is successful, the likely consequence would be an order remitting the matter to the AIC for reconsideration of whether to investigate the Complaint.

43 Insofar as the applicant seeks relief against illion and Lumo (such as an order that they destroy or de-identify personal information about the applicant), it would not be possible to order such relief against them (even if they were joined as respondents).  That is because the proceeding is framed as an application for judicial review of the AIC’s decision not to conduct an investigation.  As indicated above, if the applicant were successful, the likely order would be an order remitting the matter to the AIC for reconsideration of whether to conduct an investigation.  It is beyond the scope of this proceeding for the Court to consider and determine whether illion or Lumo or both contravened the Privacy Act.  It follows that it is beyond the scope of this proceeding to make orders against illion or Lumo of the kind sought by the applicant.

44 For these reasons, the application to join illion and Lumo as respondents is rejected.

45 I deal next with the issue whether the respondent should be referred to as the “Office of the Australian Information Commissioner” (as stated in the originating application) or the “Australian Information Commissioner”.  On 22 May 2024, a Registrar of the Court made an order that the title of the proceeding be amended to record the respondent as “Australian Information Commissioner”.  In my view, that order was correct.  The decision-maker under s 41(1) of the Privacy Act was the AIC rather than the Office of the AIC. Section 41(1)(a) of the Privacy Act confers functions on “the Commissioner”, which is defined as the AIC: see the definition of “Commissioner” in s 6(1) of the Privacy Act and s 3A of the Australian Information Commissioner Act 2010 (Cth) (AIC Act).  Contrastingly, the Office of the Australian Information Commissioner is the statutory agency established by the AIC Act, with the AIC being the head of the statutory agency: s 5(3)(b) of the AIC Act.

46 I deal now with the application to have paragraphs 1-4 of the orders made on 22 May 2024 set aside.  Paragraph 1 relates to the identification of the correct respondent and has been dealt with in the preceding paragraph.  Paragraph 2 simply states that the matter be listed for hearing on a date to be fixed on an estimated duration of one day.  There is no need to set aside that order.  Paragraphs 3 and 4 were simply timetabling orders relating to written submissions for the final hearing.  Those orders were superseded by the timetabling orders that I made on 22 September 2025.  Accordingly, as part of those orders, I set aside paragraphs 3 and 4 of the 22 May 2024 orders.

47 I next deal with the applicant’s application for default judgment on the basis that the AIC failed to comply with certain procedural requirements and has failed to pursue the proceeding with due diligence.  Insofar as the applicant submits that the AIC has not filed an objection to competency, this submission is misconceived.  The AIC does not object to the competency of the proceeding.  Therefore, there is no need to file such a notice.  Insofar as the applicant submits that the AIC has not complied with procedural orders made by a Judge of this Court on 10 November 2023, the AIC did file the affidavit of Ms Heremaia and the CB by 28 February 2024 (being the due date under the 10 November 2023 orders).  I am not satisfied that there was any non-compliance with the orders.  Insofar as the applicant contends that the AIC has not pursued the proceeding with due diligence, this complaint is not particularised.  I am not satisfied that it is made out.  I therefore reject the application for default judgment.

48 Finally, I deal with the applicant’s application for orders to the effect that illion and Lumo destroy or de-identify personal information relating to the applicant and communications relating to the applicant.  As indicated above, orders such as these are beyond the scope of the proceeding.  This proceeding is an application for judicial review of a decision of the AIC not to investigate the Complaint.  If the application were successful, the likely relief would be an order remitting the matter to the AIC for reconsideration.  It is not open to the Court in the context of this proceeding to determine whether illion or Lumo or both contravened the Privacy Act.  It follows that it is not open to the Court to grant relief of the type sought by the applicant against illion and Lumo.

49 For these reasons, the three interlocutory applications are to be dismissed.

The originating application

Overview

50 Having concluded that the interlocutory applications should be dismissed, I now proceed to consider the originating application.

51 As noted above, by the originating application, the applicant seeks judicial review of the Decision pursuant to the ADJR Act.  The originating application does not identify any grounds of review.  However, in his affidavit material and submissions the applicant makes a number of contentions.  In particular, the applicant contends that the AIC made errors of law and/or adopted a wrong approach in forming the view that the acts or practices about which the applicant had complained were not an interference with the applicant’s privacy within the meaning of the Privacy Act.  In addition, the applicant makes a number of other contentions in his affidavit material and submissions.

52 I will first outline the applicable principles (including relevant provisions) and then consider the applicant’s contentions.

Applicable principles

ADJR Act

53 Section 5 of the ADJR Act sets out the available grounds of review.

54 In the present case, there is no issue that the applicant is a “person … aggrieved” within the meaning of s 5(1) of the ADJR Act and that the Decision is a decision to which the ADJR Act applies.

55 The applicant bears the onus of establishing the grounds of review, and any error of law must be material to the decision: see, generally, LPDT v Minister for Immigration, Citizenship, Migrant Services and Multicultural Affairs [2024] HCA 12; 280 CLR 321 at [10]-[16]; MZAPC v Minister for Immigration and Border Protection [2021] HCA 17; 273 CLR 506 at [39].

56 Section 16(1) of the ADJR Act provides the orders the Court may make in its discretion on an application for an order of review in respect of a decision.

Privacy Act

57 I will refer to the version of the Privacy Act in force at the time of the Decision (15 June 2023).

58 An act or practice of an “APP entity” is an interference with the privacy of an individual if (relevantly) the act or practice breaches an APP in relation to personal information about the individual (s 13(1), see also s 13F of the Privacy Act).  The AIC submits, and I accept, that Lumo and illion are “organisations” and therefore are “APP entities” within the meaning of the Privacy Act (s 6(1) and s 6C).  There does not appear to be any dispute about this; indeed, it would seem to be a premise of the applicant’s case.

59 An act or practice breaches an APP if it is contrary to, or inconsistent with, that principle (s 6A(1) of the Privacy Act).  The APPs are set out in Schedule 1 of the Privacy Act (s 14(1)), and relevantly include:

(a) APP 3, collection of solicited personal information;

(b) APP 4, dealing with unsolicited personal information;

(c) APP 5, notification of the collection of personal information; and

(d) APP 6, relating to the use or disclosure of personal information.

60 Part IIIA of the Privacy Act deals with the privacy of information relating to credit reporting, including by outlining rules that apply to credit reporting bodies and credit providers in relation to their handling of information relating to credit reporting.  An act or practice of an entity is an interference with the privacy of an individual if (relevantly) the act or practice breaches a provision of Part IIIA of the Privacy Act in relation to personal information about the individual (s 13(2)).

61 The AIC submits, and I accept, that illion is a “credit reporting body” pursuant to s 6 of the Privacy Act, as it is an organisation that carries on a credit reporting business (within the meaning of s 6P of the Privacy Act).  I did not understand this to be disputed by the applicant; indeed, it appears to be a premise of his case.

62 The AIC submits, and I accept, that Lumo is a “credit provider” within the meaning of s 6G of the Privacy Act, as it is an organisation that supplies goods and services where payment is deferred for seven days or more (as a utility company).  Again, I did not understand this to be disputed by the applicant; indeed, it appears to be a premise of his case.

63 Section 40(1) of the Privacy Act provided:

(1)    Subject to subsection (1A), the Commissioner [i.e. the AIC] shall investigate an act or practice if:

(a)    the act or practice may be an interference with the privacy of an individual; and

(b)    a complaint about the act or practice has been made under section 36.

64 An exception was provided by s 41(1) of the Privacy Act, which relevantly provided:

(1)    The Commissioner may decide not to investigate, or not to investigate further, an act or practice about which a complaint has been made under section 36 if the Commissioner is satisfied that:

(a)    the act or practice is not an interference with the privacy of an individual; or …

65 In Simjanovska v Department of Human Services [2019] FCA 499, Perry J stated the following principles, which I adopt, regarding s 41(1):

109    … [it is] not for this Court to exercise the discretion in s 41(1) of the Privacy Act for itself so as to determine whether or not the Commissioner or the Assistant Commissioner should investigate the applicant’s complaint: see by analogy Minister for Immigration and Multicultural Affairs v Rajalingam [1999] FCA 719; (1999) 93 FCR 220 at [65] (Sackville J), [146] (Kenny J); and Re Minister for Immigration and Multicultural Affairs; Ex parte Applicant S20/2002 [2003] HCA 30; (2003) 77 ALJR 1165 at [114] (Kirby J). … The only question for this Court is whether the discretion has been exercised by the Assistant Commissioner according to law.

110    Secondly and related to the first point, the discretion vested in the Commissioner by s 41(1) of the Privacy Act not to investigate a complaint is (relevantly) enlivened by the Commissioner subjectively being satisfied that the act or practice the subject of the complaint is not an interference with the privacy of an individual and not upon whether, objectively speaking, there is no such interference. In other words, it is a precondition to the making of a decision under s 41(1) not to investigate the complaint that the Commissioner reaches the required state of satisfaction: Minister for Immigration and Ethnic Affairs v Wu Shan Liang (1996) 185 CLR 259 (Wu Shan Liang) at 274-275 (Brennan CJ, Toohey, McHugh and Gummow JJ). In turn, where the power in question has been delegated (as here), the power may be exercised by the delegate upon the delegate reaching the required state of mind: see s 34A, Acts Interpretation Act 1901 (Cth). It follows that, to the extent that the applicant seeks to invite this Court to determine afresh whether or not there has been an interference with her privacy in the context of her challenge to the Assistant Commissioner’s decision, the claim cannot succeed.

…

116    Fourthly,  … [i]t is, of course, well established that the Parliament is taken to intend that a statutory discretion will be exercised reasonably: Jones v Office of the Australian Information Commissioner [2014] FCA 285 (Jones) at [19] (Greenwood J). However, as Greenwood J further explained in Jones by reference to binding authority of the High Court:

21. Importantly, however, a requirement of legality in decision-making that a decision be reached according to the rules of reason or, put another way for present purposes, reached reasonably, or not unreasonably reached, is not a vehicle for challenging a decision made in contended error of law and beyond power simply because “disagreement” is found with the “evaluative judgment” of the administrative decisionmaker. Challenging an administrative decisionmaker’s reasoning as illogical or unreasonable may simply be an emphatic way of expressing disagreement with the decision or the merits, and such emphatic disagreement may have “no particular legal consequence” (Minister for Immigration and Multicultural Affairs v Eshetu (1999) 197 CLR 611 at [40] per Gleeson CJ and McHugh J).

22. Properly applied, a standard of legal reasonableness does not involve substituting a Court’s view as to how the discretion should be exercised for that of the decisionmaker. …

23. The legal standard of reasonableness must be the standard indicated by the proper construction of the statute which identifies the express statutory conditions and specific requirements upon which the exercise of the discretion rests in determining whether the statutory power has been abused, as falling short of the statutory standard, as a matter of legality in decisionmaking ([Minister for Immigration and Citizenship v Li [2013] HCA 18; (2013) 249 CLR 332 (Li)] per Hayne, Kiefel and Bell JJ at [76]).

…

25. In this case, the decisionmaker was required to understand the obligation to have proper regard to the express statutory conditions upon which the exercise of the discretion rested. The more specific errors in decisionmaking to which Courts often have regard in the exercise of jurisdiction under, for example, the ADJR Act and the jurisdiction conferred on the Court by the Judiciary Act 1903 (Cth) are ultimately all encompassed by the notion of unreasonableness, measured and applied according to a legal standard indicated by the “true construction of the statute”, in determining whether the statutory power has been abused (Li, per Hayne, Kiefel and Bell JJ at [67] and [72]). Unreasonableness is a conclusion which may be applied to a decision “which lacks an evident and intelligible justification” (Li per Hayne, Kiefel and Bell JJ at [76]).

117    … as Greenwood J emphasises in these passages, the question is not whether the applicant or the Court disagrees, even strongly, with the decision under review but rather, whether having regard to the proper construction of the statute, the decision lacks an evident and intelligible justification.

…

122    Furthermore, there is no express limitation upon the stage at which the discretion in s 41(1) can be exercised. To the contrary, subject to the requirements of procedural fairness, the apparent purpose of s 41(1) is to empower the Commissioner to decide not to investigate a complaint or to terminate a complaint at any stage when she or he reaches the requisite state of satisfaction, thereby ensuring that public funds and resources are directed towards resolving potentially meritorious complaints.

Consideration

66 The applicant’s main contention is that the AIC made errors of law and/or adopted a wrong approach in forming the view that the acts or practices about which the applicant had complained were not an interference with the applicant’s privacy within the meaning of the Privacy Act (and therefore erred in concluding that the relevant condition for the exercise of the discretion in s 41(1) was satisfied).

67 However, I am not satisfied that the AIC made any error of law or that the AIC adopted a wrong approach in forming the view that she did, namely that the alleged acts or practices of illion and/or Lumo were not an interference with the applicant’s privacy within the meaning of the Act.

68 One of the major difficulties with the applicant’s submissions is that they fail to grapple with the facts that (as the delegate found in the section of the June 2023 Letter headed “Complaint about Lumo”):

(a) the applicant provided his details to Lumo for the purpose of setting up an account with Lumo;

(b) in the telephone discussion on 12 November 2021, Lumo explained that it would be conducting a credit check with an external credit reporting body and explained the purpose of the check; and

(c) Lumo obtained the applicant’s consent to that check.

69 It is unclear whether the applicant challenges those factual findings.  In any event, the material before the Court (namely, the transcript and audio recording of the 12 November 2021 telephone discussion) makes clear that there was a proper basis for those findings.

70 In light of those findings, many of the applicant’s contentions about breaches of the Australian Privacy Principles and/or Pt IIIA of the Privacy Act are misplaced.  In essence, in circumstances where the applicant authorised the credit provider (Lumo) to conduct a credit assessment with a credit reporting body (illion), it was not contrary to the APPs or Pt IIIA of the Privacy Act for Lumo to provide the applicant’s details to illion (for the purpose of obtaining a credit risk assessment) and it was not contrary to the APPs or Pt IIIA for illion to provide a response.

71 In his Complaint and in his affidavit material and submissions, the applicant alleges that he never authorised Lumo to conspiratorially assist or enable illion to directly solicit applicant identification information or to establish an applicant client reference account in illion’s database.  The principal difficulty with this contention is that, as set out above, the applicant did authorise Lumo to conduct a credit risk assessment with its external credit reporting body.  This carried with it an authority for illion to directly or indirectly solicit applicant identification information.  It also carried with it an authority for illion to create a client reference account in illion’s database.  I note also that it does not appear that illion directly solicited further information from anyone other than the applicant.  Insofar as the applicant complains that illion sent him three emails soliciting further information from him, I fail to see what the problem with this is in terms of the APPs or Pt IIIA of the Privacy Act.  It did not involve the disclosure of the applicant’s personal information to a third party, which would seem to be the main concern of the relevant APPs.  Accordingly, insofar as the applicant contends that the delegate’s response to this aspect of the Complaint involved an error of law or an incorrect approach, I reject that contention.

72 In his Complaint and in his affidavit material and submissions, the applicant refers to clauses 3.1-3.3 of APP3.  APP3 concerns the collection of solicited personal information.  Clause 3.1 applies to agencies and does not appear to be applicable to Lumo or illion.  Clause 3.2 provides that, “[i]f an APP entity is an organisation, the entity must not collect personal information (other than sensitive information) unless the information is reasonably necessary for one or more of the entity’s functions or activities”.  In my opinion, the delegate’s reasons (summarised above) provide an adequate explanation of why the delegate formed the view that there was no breach of that principle.

73 Clause 3.3 relevantly provides that:

An APP entity must not collect sensitive information about an individual unless:

(a)    the individual consents to the collection of the information and:

…

(ii)    if the entity is an organisation—the information is reasonably necessary for one or more of the entity’s functions or activities; or …

It does not appear that Lumo or illion collected any “sensitive information” (as defined in s 6 of the Privacy Act) about the applicant.  Therefore, there does not appear to be any error by the delegate in not concluding that there was an interference with the above principle.

74 In his Complaint and in his affidavit material and submissions, the applicant refers to Lumo’s email to him of 19 November 2021 and contends that the purpose of this email was to deceive the applicant into believing that illion had held credit eligibility information about the applicant.  I can see how Lumo’s statement that the decision to reject the applicant’s application was “made in part or entirely based on credit eligibility information obtained from illion about you” (see the relevant email at annexure 6 to the applicant’s 25 January 2024 affidavit) may have given the (false or misleading) impression that illion already held credit eligibility information about the applicant.  However, I do not see how any such misrepresentation constituted a breach of the APPs or Pt IIIA of the Privacy Act.  Accordingly, I am not satisfied that this point provides a basis to conclude that the delegate made an error.

75 In his Complaint and in his affidavit material and submissions, the applicant refers to Lumo’s email to him of 23 November 2021 and contends that the statements in that email were inconsistent with the initial false representation in paragraph (6) of the Complaint (namely, that illion had held credit eligibility information about the applicant).  It is difficult to see what the applicant’s point is here.  It would seem that the statements in the 23 November 2021 email simply corrected any misrepresentation created by the email of 19 November 2021.  Accordingly, I am not satisfied that this point provides a basis to conclude that the delegate made an error.

76 In his Complaint and in his affidavit material and submissions, the applicant refers to illion’s email to him of 17 December 2021 (with a link to register online for the purpose of directly soliciting the hardcopies of his identification information) and contends that there was an inconsistency between that email and the three emails sent by illion to the applicant on 22 November 2021 (which suggested that an account had been created).  I am not clear what the asserted inconsistency is.  But in any event, it is difficult to how any inconsistency, or the later email, could constitute a breach of the APPs or Pt IIIA of the Privacy Act.  This was merely an email from illion to the applicant inviting him to register and provide information.  The email did not involve (for example) a disclosure by illion of the applicant’s personal information to a third party or a failure by illion to protect the applicant’s personal information.  Accordingly, I am not satisfied that this point provides a basis to conclude that the delegate made an error.

77 In his Complaint and in his affidavit material and submissions, the applicant contends that illion activated a credit account relating to him.  However, as discussed above, the applicant authorised Lumo to conduct a credit check with its external credit reporting body (illion).  In these circumstances, I do not see how illion’s activation of a credit account could constitute a breach of the APPs or Pt IIIA of the Privacy Act.  Accordingly, I am not satisfied that this point provides a basis to conclude that the delegate made an error.

78 In his Complaint and in his affidavit material and submissions, the applicant contends that illion and Lumo knowingly contravened s 18(1) and 29(1)(j) of the Australian Consumer Law and s 321 of the Crimes Act by conspiratorially making the false representations set out in paragraphs (3)-(11) of the Complaint.  The AIC was empowered to decide not to investigate the Complaint if (relevantly) she was satisfied that “the act or practice is not an interference with the privacy of an individual”.  It was not incumbent on the AIC to consider whether the applicant’s contentions based on the provisions of the Australian Consumer Law and the Crimes Act were made out; it was sufficient (to decide not to investigate) that the AIC was satisfied that the act or practice was not an interference with the applicant’s privacy within the meaning of the Privacy Act.  Accordingly, this point does not provide a basis to conclude that the AIC made an error of law or adopted an incorrect approach.

79 In his Complaint and in his affidavit material and submissions, the applicant refers to and relies on APP 3 (clauses 3.2 and 3.5), APP 4 (clauses 4.1, 4.3 and 4.4), APP 5 (clauses 5.1 and 5.2), s 20C(1), (3) and (7), s 20D(1), (3) and (4), and ss 20E-20ZA of the Privacy Act.  I will deal with each of those provisions (or groups of provisions) in turn.

80 Clause 3.2 of APP 3 has been discussed above.  Clause 3.5 of APP 3 provides that “[a]n APP entity must collect personal information only by lawful and fair means”.  In my view, this provision was adequately considered by the delegate in the sections headed “Complaint about Lumo” and “Complaint about illion”.  The delegate explained why she did not consider the collection of information by Lumo and illion to be unlawful or unfair.  I am not satisfied that the delegate made any error in relation to clause 3.5.

81 Clauses 4.1, 4.3 and 4.4 of APP 4 concern dealing with unsolicited personal information.  Insofar as illion might be said to have received unsolicited personal information about the applicant (from Lumo), in circumstances where the applicant authorised Lumo to conduct a credit check with its external credit reporting body (illion), it is not clear how any breach of clause 4.1, 4.3 or 4.4 could be said to have occurred.  In my view, these clauses were adequately considered (albeit not in terms) by the delegate in the sections headed “Complaint about Lumo” and “Complaint about illion”.  I am not satisfied that the delegate made any error in relation to clauses 4.1, 4.3 or 4.4.

82 Clauses 5.1 and 5.2 of APP 5 concern the notification of the collection of personal information.  Clause 5.1 provides:

At or before the time or, if that is not practicable, as soon as practicable after, an APP entity collects personal information about an individual, the entity must take such steps (if any) as are reasonable in the circumstances:

(a)    to notify the individual of such matters referred to in subclause 5.2 as are reasonable in the circumstances; or

(b)    to otherwise ensure that the individual is aware of any such matters.

83 In the present case, it seems that the only personal information collected by Lumo was the information provided by the applicant to Lumo, and the only personal information collected by illion was the information provided by the applicant to Lumo (which Lumo provided to illion).  As the applicant’s Complaint itself discloses, there were a number of communications from Lumo or illion to the applicant.  In the circumstances (as described in the June 2023 Letter), it is not clear how Lumo or illion could be said to have breached clauses 5.1 or 5.2.  In my view, these clauses were adequately considered (albeit not in terms) by the delegate in the June 2023 Letter.  I am not satisfied that the delegate made any error in relation to clauses 5.1 or 5.2.

84 Section 20C is contained in Div 2 of Pt IIIA of the Privacy Act and relates to credit reporting bodies (here, illion).  The section is headed “Collection of solicited credit information”.  While subsection (1) contains a general prohibition (“[a] credit reporting body must not collect credit information about an individual”), subsection (3) provides an exception:

(3)    Subsection (1) does not apply if:

(a)    the credit reporting body collects the credit information about the individual from a credit provider who is permitted under section 21D to disclose the information to the body; and

(b)    the body collects the information in the course of carrying on a credit reporting business; and

(c)    if the information is identification information about the individual–the body also collects from the provider, or already holds, credit information of another kind about the individual.

Section 20C(7) provides that “[a] credit reporting body must collect credit information only by lawful and fair means”.  In the introductory part of the June 2023 Letter, the delegate stated that she was satisfied that ss 20C(1), 20C(3) and 20C(7) were not relevant to the circumstances in the applicant’s Complaint because Lumo was entitled to conduct a credit check and illion (as a credit reporting body) was entitled to collect the applicant’s personal information from Lumo.  I am not satisfied that the delegate made an error of law or adopted an incorrect approach in forming that view.  It is amply supported by the facts of the case as described in the June 2023 Letter.

85 Section 20D is also contained in Div 2 of Pt IIIA and relates to credit reporting bodies.  The section is headed “Dealing with unsolicited credit information”.  In the introductory part of the June 2023 Letter, the delegate stated that she was satisfied that ss 20D(1) and 20D(4) were not relevant to the circumstances in the applicant’s Complaint because Lumo was entitled to conduct a credit check and illion (as a credit reporting body) was entitled to collect the applicant’s personal information from Lumo.  Again, this conclusion is amply supported by the facts as set out in the June 2023 Letter.  I am not satisfied that the delegate made an error of law or adopted an incorrect approach in forming that view.

86 Sections 20E to 20ZA are also contained in Div 2 of Pt IIIA and relate to credit reporting bodies.  These sections broadly concern: the way in which a credit reporting body is to deal with credit reporting information; the integrity of credit reporting information; access to and correction of information; and dealing with credit reporting information after the retention period ends etc.  I make the following points about this set of provisions.

(a) Section 20F is headed “Permitted CRB disclosures in relation to individuals”.  The delegate considered s 20F in the section of the June 2023 Letter headed “Complaint about illion”, stating that “[i]n this instance as illion did not have a credit report for you at the time of Lumo’s credit enquiry; I consider illion did not disclose credit reporting information about you to Lumo and s 20F of the Act does not apply”.  I consider that it was open to the delegate to form this view based on the facts and matters set out in the June 2023 Letter.

(b) Section 20P is headed “False or misleading credit reporting information”.  Section 20P(2) provides that “[a] credit reporting body must not use or disclose credit reporting information under this Division (other than subsections 20D(2) and 20T(4)) if the information is false or misleading in a material particular”.  There does not appear to be a factual basis to allege that illion breached this provision.  Accordingly, I am not satisfied that the delegate fell into error by not directly addressing this provision.

(c) Section 20R is headed “Access to credit reporting information”.  The Complaint did not allege (for example) that the applicant had sought access to his credit reporting information held by illion and that illion had refused such a request.  Indeed, I note that annexure 19 to the applicant’s affidavit dated 25 January 2024 is a letter from illion to the applicant attaching his credit reporting information.  In light of these matters, I am not satisfied that s 20R is relevant to the Complaint.  Accordingly, I am not satisfied that the delegate needed to deal with this section.

(d) Section 20S is headed “Correction of credit reporting information”.  The delegate referred to s 20S(2) in the introductory part of the letter.  She stated that she was satisfied that s 20S(2) was not relevant to the circumstances in the applicant’s Complaint because Lumo was entitled to conduct a credit check and illion (as a credit reporting body) was entitled to collect the applicant’s personal information from Lumo.  Having regard to the terms of s 20S(2), it does not appear to be applicable to the present circumstances.  Accordingly, I am not satisfied that the delegate fell into error by concluding that it was not relevant.

(e) Section 20T(1) provides that an individual may request a credit reporting body to correct personal information in certain circumstances.  Although the applicant referred to that section in the Complaint, the Complaint does not allege (for example) that the applicant requested illion to correct credit information about him and illion failed to comply with such a request.  It does not appear that s 20T(1) is relevant to the Complaint.

(f) In relation to the balance of the provisions from s 20E to s 20ZA, I am not satisfied that the delegate erred by not considering them in terms, given the facts and circumstances of the case as described in the June 2023 Letter.

87 In his affidavit material and submissions, the applicant refers to s 21S(2).  That provision is located in Div 3 of Pt IIIA and relates to credit providers.  The section is headed “Security of credit eligibility information”.  Section 21S(2) provides:

If:

(a)    a credit provider holds credit eligibility information about an individual; and

(b)    the provider no longer needs the information for any purpose for which the information may be used or disclosed by the provider under this Division; and

(c)    the provider is not required by or under an Australian law, or a court/tribunal order, to retain the information;

the provider must take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified.

88 The expression “credit eligibility information” is defined in s 6 in the following way:

credit eligibility information about an individual means:

(a)    credit reporting information about the individual that was disclosed to a credit provider by a credit reporting body under Division 2 of Part IIIA; or

(b)    CP derived information about the individual.

89 In the introductory section of the June 2024 Letter, the delegate noted that the applicant had referred to s 21S(2).  The delegate stated that she was satisfied that s 21S(2) was “not relevant to the circumstances in [the applicant’s] complaints because Lumo was entitled to conduct a credit check and as a CRB, illion was entitled to collect [the applicant’s] personal information from Lumo and create a credit report for [the applicant] since it did not have a credit report for [the applicant] at the time”.  In my view, this does not provide an adequate reason for not addressing s 21S(2); even if Lumo was entitled to conduct a credit check, s 21S(2) may still require Lumo to take certain steps.  However, I am not satisfied that any error of the delegate in failing to consider s 21S(2) was material.  This is because, by its letter dated 17 April 2023, Lumo offered to take the necessary steps (a) to de-identify all of the personal information it currently holds about the applicant and (b) to have the credit enquiry that it submitted as part of the account establishment process permanently removed from illion’s records.  It is unclear whether Lumo has given effect to its offer.  If it has not done so, it would appear to be appropriate for Lumo to do so.  I will request the AIC to provide a copy of these reasons to Lumo, and draw its attention to this paragraph.

90 In his affidavit material and submissions, the applicant refers to s 21T(1).  That provision is located in Div 3 of Pt IIIA and relates to credit providers.  The section is headed “Access to credit eligibility information”.  The Complaint did not allege (for example) that the applicant requested Lumo to provide access to such information and that Lumo refused to provide it.  I am not satisfied that this provision is relevant to the Complaint.  I am therefore not satisfied that the delegate made an error by not dealing with s 21T(1).

91 For these reasons, I am not satisfied that the delegate made an error of law or adopted a wrong approach in forming the view that the alleged acts and practices were not an interference with the applicant’s privacy within the meaning of the Privacy Act.

92 While the applicant expresses some of his contentions in other ways (for example, taking into account irrelevant considerations or failing to take into account relevant considerations), there is substantial overlap between the applicant’s other contentions and the contentions discussed above.  For substantially the same reasons, I am not satisfied that the delegate erred in forming the view that the alleged acts and practices were not an interference with the applicant’s privacy within the meaning of the Privacy Act.

93 In his submissions dated 21 September 2025, the applicant contends that the delegate did not have a delegation to make the Decision.  In my view, this contention should be rejected.  Section 25 of the AIC Act provides for the AIC to delegate, in writing, all or any of his or her functions or powers to a member of staff of the Office of the AIC, save for the functions listed in s 25(1)(a) to (k) inclusive, which have no application in the present matter.  The evidence establishes:

(a) on 3 February 2023, the (then) AIC, Angelene Falk, delegated to “the persons from time to time holding, occupying or performing the duties of the positions listed in column 1 of the schedule below, all powers and functions conferred upon [the AIC] by the provisions referred to in the Acts listed in columns 2 to 8 of the schedule below” (the Delegation);

(b) relevantly, the Delegation included a delegation to “Executive Level 1 to Australian Public Service 2 Dispute Resolution, Major Investigations and Regulation & Strategy Branches” of the following functions or powers: “Part V, Division 1 – Investigation of complaints and investigations on Commissioner’s initiative, ss 36(4), 40, 40A, 41, 42, 43(1) to (3), 48, and 50A” of the Privacy Act;

(c) at the time the delegate made the Decision (which was a decision under s 41 of the Privacy Act), the delegate was acting as the Assistant Director, Dispute Resolution Branch and made the Decision in that capacity; and

(d) on the basis of the affidavit of Jami Klisaris, I am satisfied that the delegate was performing the duties of an Executive Level 1 position and therefore held a delegation of the power in s 41 of the Privacy Act.

94 If and to the extent that the applicant contends that the delegate erred by not contacting illion as part of the consideration of the Complaint, I do not accept that contention.  Pursuant to s 42(2) of the Privacy Act, the AIC may make inquiries of any person for the purpose of determining whether to investigate an act or practice under subsection 40(2).  This function is discretionary. In circumstances where Lumo had provided a detailed response, I am not persuaded that it was legally unreasonable, or otherwise a reviewable error, not to contact illion.

95 In conclusion, the applicant has not established any ground of review within the meaning of s 5 of the ADJR Act.

Conclusion

96 It follows that the originating application is to be dismissed.

97 In relation to costs, my preliminary view is that the applicant should pay the AIC’s costs of the proceeding (including the interlocutory applications) in accordance with the usual position that costs follow the event.  However, I will give the applicant the opportunity to file a written submission if he wishes to seek a different costs order.  If he files such a submission, the AIC will have the opportunity to respond, and I propose to determine the issue of costs on the papers.

Associate:

Dated:    30 January 2026