AVB16 v Minister for Immigration

FEDERAL CIRCUIT COURT OF AUSTRALIA

REPRESENTATION

ORDERS

1. The application be dismissed.

SYG 846 of 2016

Applicant

And

First Respondent

Second Respondent

REASONS FOR JUDGMENT

Background

1. The applicant is a citizen of the People’s Republic of China who arrived in Australia on 24 September 2001 as a student. On 27 April 2002 she was granted a further student visa which ceased on 18 March 2003. The applicant then remained unlawfully in the community until 4 October 2012 when she was located by the compliance officers of the Department of Immigration and Border Protection (“Department”) and was detained under s.189 of the Migration Act1958 (Cth).

2. The applicant was in immigration detention on 31 January 2014 which meant that she was one of many people whose personal details were made available on publicly accessible areas of the website maintained by the Department on 10 February 2014. That incident has become known as the data breach.

3. The applicant was notified in March 2014 about the data breach and was informed that the information made available included her name, date of birth, nationality, gender, details of when she was detained (reason and where) and whether she had other family members in detention. It did not include any current or former address, phone number, contact information or any other information such as health information.

4. By letter dated 19 June 2014 the Department informed the applicant that any implications for her personally would be assessed as part of the Department’s “normal processes” and invited her to put any concerns that she had regarding the impact of the data breach to the Department in writing. The applicant responded to that invitation by letter dated 24 June 2014 from a firm of solicitors. In that letter, the solicitors indicated, amongst other things, that the release of the applicant’s personal information had amplified her dissatisfaction and stress with her situation and that it posed the risk that she would be ostracised due to the fact that her detention might become known to her former friends and family and affect her future social interactions, further reducing her ability to reintegrate into her country of origin.

5. On 19 February 2015 the applicant applied for a protection visa. In that application she claimed that she would be detained and suffer torture or even a death sentence as a result of the data breach.

6. In an annexure to the application the applicant referred to “KPMG’s Privacy breach - Data management report, 20 May 2014” and submitted that there was no possible way of determining who had had access to, or saved her personal information, or how many times it had been accessed and to whom it had been forwarded. She further stated:

   …

   There is no way of knowing who I could face a real risk of harm from as it may go well beyond the authorities in China, including foreign security and intelligence agencies, terrorist organisations and criminal syndicates. In addition, the Human Resources Sections of companies and public service departments would also have access to the information and would undermine my ability to find employment in my home country and overseas and foreign governments may use this information as a reason not to grant visas for me to travel out of China. Without disclosure of the information then everyone involved in this process is speculating.

   …

7. On 7 December 2015 a delegate of the Minister made a decision not to grant the applicant a protection visa. It will be necessary to return to her reasons for decision in due course. The applicant applied to the Administrative Appeals Tribunal for review of the delegate’s decision. She attended a hearing conducted by the Tribunal on 16 March 2016 and the Tribunal made its decision on 18 March 2016 affirming the decision of the delegate.

Consideration

1. The applicant seeks judicial review of the Tribunal’s decision. At the hearing of this matter counsel for the applicant sought an adjournment on the basis that the High Court had reserved its decision in an appeal from a judgment given by the Full Court of the Federal Court of Australia concerning the data breach: SZSSJ v Minister for Immigration & Border Protection (2015) 234 FCR 1; [2015] FCAFC 125 (“SZSSJ”). I refused that application on the basis that the decision of the Full Court did not concern a decision of the Tribunal, but rather an internal process conducted by the Department.

2. In ABC15 v Minister for Immigration & Border Protection [2015] FCA 1314 Robertson J explained at [29] that SZSSJ is distinguishable, at least on the basis that it concerned non-statutory processes being conducted by officers of the Department itself, rather than, as here, by the Tribunal under a statutory process: see also DZAEH v Minister for Immigration & Border Protection [2016] FCA 54 at [31]‑[32]; AAG15 v Minister for Immigration & Border Protection [2016] FCA 67 at [13]‑[14], [16]; DZAEH v Minister for Immigration & Border Protection [2016] FCA 83 at [38]; and DZAFB v Minister for Immigration & Border Protection [2016] FCA 827 at [24].

3. In any event, the High Court overturned the decision of the Full Court: Minister for Immigration & Border Protection v SZSSJ (2016) 90 ALJR 901; [2016] HCA 29.

Ground one

1. There were four grounds in the application as filed; however, the applicant expressly abandoned grounds three and four. The first ground is (as it appears in the application):

   1.The Tribunal erred by asking itself the wrong question.

   Particulars

   a)At [13] the Tribunal found that:

   All of these claims relate to a complaint about a breach of privacy and do not demonstrate that there is a real chance she will suffer serious harm in China because their basic data was made temporarily available some time ago; and

   b)The Tribunal has failed consider (Sic) whether the applicant would face serious or significant harm upon return to China due to the data breach.

   (Emphasis in original)

2. The ground as formulated is entirely unsustainable. The passage quoted from the Tribunal’s reasons for decision was immediately preceded by the following:

   [13]The applicant also referred to litigation in the High Court about the data breach and said that she had complained to the Privacy Commissioner about it. Her privacy had been breached and that had nothing to do with immigration law. She said that a privacy authority should do an assessment of what happened not the department. She made similar claims when this issue was explored with her by the delegate and in written submissions she made to the department.

   …

3. In light of that, the “claims” referred to in the passage relied upon by the applicant were claims made outside her application for a protection visa. In the passage relied upon by the applicant, the Tribunal was in no way summarising the applicant’s protection visa claims. The ground is rejected.

4. The written submissions filed in support of the application, on behalf the applicant, did not deal with the ground as it appeared in the application. Rather, it was submitted that “the Tribunal has not only asked itself the wrong question but has failed in its function to review the decision of the delegate”. This submission was based upon my judgment in ACR15 v Minister for Immigration & Border Protection (2015) 302 FLR 431; [2015] FCCA 2992 where I said, at [26]:

   On its face, this finding by the Tribunal was made with no other basis than the fact that the delegate had made the same finding. If that is in fact the case, it is inconsistent with its obligation to “review” the delegate’s decision. In order to “review” a decision, the Tribunal must consider “for itself” the material before it and make its own findings based on that material: Minister for Immigration and Border Protection v MZYTS and Another (2013) 230 FCR 431 at [32]; MZZZW v Minister for Immigration and Border Protection [2015] FCAFC 133 at [58]. Simply adopting a finding made by the delegate is not a product of a “review”, it is copying.

5. The finding of the Tribunal referred to in this paragraph was:

   [48]… As noted in the delegate’s decision there was no information released regarding [the applicant’s] protection claims, and the Tribunal accepts this.

6. The aspects of the Tribunal’s decision here relied upon by the applicant were:

   a)the statement at [10]:

   According to the decision of the delegate, a routine report released on the website of the department unintentionally enabled access for a short period of time to personal information about people who were held in immigration detention on 31 January 2014. The delegate stated that information released would have included the applicant’s name, date of birth, nationality, gender, and details as to when she was detained. That information did not include current or former addresses, telephone numbers, contact information or information about health or any visa applications she had made.

   b)The fact that the Tribunal considered country information at [11] of its reasons and, at [12], made a finding similar to one made by the delegate that the applicant had “no history of activism of any kind that would make her of interest to the Chinese government”.

7. The applicant did not seek leave to raise this ground and, for that reason, given that she was legally represented, it need not be resolved. Legal practitioners should be aware that the simple fact that something is referred to in written or oral submissions to the Court does not mean that they form any part of the application before the Court. It is often the case that new arguments occur to legal practitioners very late in proceedings. That may be for a variety of reasons, nevertheless, the lateness of such an occurrence does not mean that the Court’s leave to amend is not required.

8. Even if leave had been sought it would have been rejected. There is nothing in the Tribunal’s reasons to suggest that it did nothing more than copy material from the delegate’s decision. To the extent that it relied upon the delegate’s decision to make a finding about the extent of the data breach, there was no error. In her reasons for decision, the delegate found that there had been a release of certain personal information on the basis of what was stated in the letter from the Department to the applicant. That letter, which is summarised above at [3], was before the Tribunal. Thus, the Tribunal did more than simply accept an assessment by the delegate of some unseen information. Further, the simple fact that the Tribunal came to the same conclusion as the delegate on the basis of country information lends no support at all to the applicant’s assertion that the Tribunal had done nothing more than copy part of the delegate’s decision. This argument was bound to fail and any amendment would have been futile.

Ground two

1. The second ground in the application is:

   2.The Tribunal erred in making a finding on the data breach based on no evidence.

   Particulars

   a)At [14] the Tribunal found that:

   The Tribunal acknowledges the applicant’s fears about other entities also gaining access to that minimal and basic information made available about her but the Tribunal has no evidence that such groups have seen this information and hold interest in her or have used this in any way that creates a real change of the applicant suffering serious harm in China; and

   b)The Tribunal makes the further finding that the applicant’s assertions are “highly speculative” while the Tribunal at no time had any access to any of the data breach information in the possession of the department.

   (Emphasis in original)

2. This ground, too, is unsustainable. The applicant did not contest that there was no evidence, as found by the Tribunal, that certain other entities had gained access to her information and that that created a real chance of her suffering serious harm in China. Rather, she argued that the Tribunal erred because it did not have access to the credible, relevant and significant information held by the Department about the data breach and in particular, the abridged KPMG Report dated 20 May 2014 and the Privacy Commissioner’s report dated November 2014[1].

   [1] This is reference to the Department of Immigration and Border Protection: Own motion investigation report, November 2014.

3. In her written submissions, the ground was presented not only as a “no evidence” ground but also as a failure to comply with s.425 of the Act. Whichever way it is argued, the ground is rejected.

4. First, the applicant has not established, indeed has not even attempted to establish, that the Tribunal was easily able to obtain the abridged KPMG Report or the report of the Privacy Commissioner or, more importantly, whether there was such information in either of those reports that was of such obvious and critical importance to the Tribunal’s decision that it ought to have made efforts to obtain them.

5. Secondly, the position is then that the Tribunal (like the Court) was unaware of the contents of those reports. In other words, it did not have information of which the applicant was unaware and to which the applicant did not have the opportunity to address.

6. Thirdly, the applicant did not put that material before the Tribunal and did not seek to obtain the information in either of the reports.

7. In those circumstances, there was no unfairness in the Tribunal’s procedure. Its findings were based upon the material before it including an assessment of what was not in that material, that is, any support for the contention that the release of the applicant’s personal information in February 2014 might give rise to a relevant risk of harm to the applicant in China.

8. Finally, I note that the argument concerning the obligation under s.425 of the Act in fact formed part of ground 3 in the application rather than ground 2. As ground 3 was expressly abandoned by the applicant, it is not strictly necessary to deal with that argument. Nevertheless, I have done so because, firstly; it was straightforward and secondly; in case any of the other many applicants in this Court relying upon the Data Breach might have otherwise considered that the ground was arguable.

Conclusion

1. There is no jurisdictional error in the Tribunal’s decision. The application must be dismissed.

I certify that the preceding twenty-seven (27) paragraphs are a true copy of the reasons for judgment of Judge Smith

Date: 13 September 2016