SZTYD v Minister for Immigration and Border Protection

SZTYD v Minister for Immigration and Border Protection - [2018] FCA 592 - FCA 2018 case summary — Zoe

[4]

Data breach 3 The appellant is one of a group of individuals in immigration detention on 31 January 2014, whose personal information was inadvertently made available on the internet by the Department of Immigration and Border Protection ("data breach"). In Minister for Immigration and Border Protection v SZSSJ [2016] HCA 29; (2016) 259 CLR 180 ("SZSSJ"), the High Court of Australia summarised the circumstances of the "data breach" as follows, at [3]: The data breach occurred on 10 February 2014. The Department routinely publishes statistics on its website. This time the particular electronic form of the document in which the statistics were published included embedded information which disclosed the identities of 9,258 applicants for protection visas who were then in immigration detention. The document containing the embedded information remained on the website until 24 February 2014. 4 As it turns out, this summary was not completely correct. In SZWAJ v Minister for Immigration and Border Protection [2016] FCA 1173 ("SZWAJ") at [33], Griffiths J noted relevantly: Senior Counsel for the respondents acknowledged that there is evidently a factual error in SZSSJ High Court at [3] and [4] where it is suggested that the Data Breach affected only applicants for a protection visa. The Data Breach involved the disclosure of information of 9,258 persons who were in immigration detention, including but not limited to persons who are applicants for protection visas. This point is demonstrated by the Appellant's own circumstances because the Data Breach affected her as a person who was in immigration detention even though, at that time, she was not an applicant for a protection visa. 5 On this appeal, the Minister's counsel, Ms Francois, emphasised that the appellant was in a similar situation to the applicant in SZWAJ in that he also was not an applicant for a protection visa at the time of the data breach, having not yet been permitted to make a protection visa application. 6 In SZSSJ at [5], the High Court recorded the following concerning the aftermath of the data breach: [T]he Department retained external consultants, KPMG, to investigate. KPMG prepared a report for the Department. An abridged version of the KPMG report was later made available to affected applicants. The abridged version of the report recorded that, during the 14 days in which the document disclosing the identities of the visa applicants had remained on the website, the document had been accessed 123 times and that the access had originated from 104 unique internet protocol ("IP") addresses. The abridged version of the KPMG report did not record those IP addresses or give the precise times of access. Rather, the abridged version stated: It is not in the interests of detainees affected by this incident to disclose further information in respect of entities [who] have accessed the Document, other than to acknowledge that access originated from a range of sources, including media organisations, various Australian Government agencies, internet proxies, TOR network and web crawlers. 7 The High Court recorded that the following also occurred after the breach, at [8]: In early March 2014, the Secretary of the Department sent a standard form letter to each of the affected applicants. The letter informed those applicants of the Data Breach and expressed deep regret. The letter continued: "The information that it was possible to access was your name, date of birth, nationality, gender, details about your detention (when you were detained, reason and where) and if you have other family members in detention. The information did not include your address (or any former address), phone numbers or any other contact information. It also did not include any information about protection claims that you or any other person may have made, and did not include any other information such as health information. The department will assess any implications for you personally as part of its normal processes. You may also raise any concerns you have during those processes." 8 At [10], the High Court referred to the Department's conduct of processes known as "International Treaties Obligations Assessments" ("ITOAs"), stating: Departmental officers conducting the ITOAs were specifically instructed to assess the effect of the Data Breach on Australia's non-refoulement obligations adopting the assumption that an applicant's personal information may have been accessed by authorities in the country in which the applicant feared persecution or other relevant harm. 9 At [91] and [92], the High Court concluded: [91] Sensibly interpreted and applied in the context of making an assessment of whether the Data Breach engaged Australia's non-refoulement obligations with respect to them, the assumption was not simply that some of their personal information might have been accessed by some authorities. The assumption was rather that all of their personal information had been accessed by all of the persons or entities from whom they feared persecution or other relevant harm. That is how the assumption was in fact interpreted and applied by the officer who conducted SZTZI's ITOA and how it could reasonably be expected to be interpreted and applied in the conduct of SZSSJ's ITOA. [92] SZSSJ and SZTZI were not deprived of any opportunity to submit evidence or to make submissions relevant to the subject matter of the ITOA process as a result of not having such further information as might be inferred to have been contained in the unabridged version of the KPMG report. Exactly how and why the Data Breach occurred was simply not relevant to the question of whether one or more of Australia's non-refoulement obligations were engaged in respect of them. And irrespective of what the unabridged KPMG report might have to say about the identities of the 104 IP addresses from which the document had been accessed during the 14 day period of the Data Breach, the fact would remain that once the document was downloaded the personal information of SZSSJ and SZTZI could have been accessed by anyone. Even if the unabridged KPMG report might have allowed SZSSJ and SZTZI to prove by reference to the report that one or more of those IP addresses were associated with persons or entities from whom they feared harm, that proof would advance their cases for engagement of Australia's non-refoulement obligations no further than the assumption already made in their favour. 10 Accordingly, the High Court accepted that there had been no denial of procedural fairness resulting from the Department's refusal to give SZSSJ and SZTZI the unabridged copy of the KPMG report, and overturned the decision of the Full Court in SZSSJ v Minister for Immigration and Border Protection [2015] FCAFC 125; (2015) 234 FCR 1.

[5]

Appellant's protection visa application 11 Unlike SZJSS, this appeal is not concerned with an ITOA but rather an application under the "Fast Track Assessment Process" established by the Migration and Maritime Powers Legislation Amendment (Resolving the Asylum Legacy Caseload) Act 2014 (Cth). 12 On 13 August 2015, the Minister exercised his power under s 46A(2) of the Act to allow the appellant to lodge an application for a temporary protection visa or a safe haven enterprise visa ("SHEV"). 13 On 22 March 2016, the appellant applied for a SHEV and on 28 April 2016 he attended a SHEV protection visa interview. The appellant sought protection based on an asserted well-founded fear of persecution arising from political activities in support of the (then opposition) United National Party ("UNP") in Sri Lanka, including supporting a local council election campaign against a man named Nimal Lanza, who was a Minister in the Provincial Council and a member of the (the incumbent) Sri Lanka Freedom Party ("SLFP"). This included a claim that, as a person who had been the victim of homosexual rape, he would suffer persecution as an imputed homosexual and rape victim. The rape (and accompanying false imprisonment and battery) was allegedly committed by a group of thugs who supported Nimal Lanza and the SLFP known as the "Lanza group", following the appellant's activities in support of the UNP. After these alleged events, in 2015, Nimal Lanza was elected to the Sri Lankan Parliament. 14 The appellant additionally claimed to fear harm on account of having been imprisoned in New Zealand, because he left Sri Lanka illegally and because his personal information had been included in the "data breach". 15 On 22 June 2016, the delegate refused to grant the appellant the SHEV. The delegate found that the appellant satisfied the definition of "fast track applicant" under s 5(1) of the Act, being, relevantly, a person: (1) who is an unauthorised maritime arrival and who entered Australia on or after 13 August 2012, but before 1 January 2014, and who has not been taken to a regional processing country; (2) whom the Minister has given a written notice under s 46A(2) determining that s 46A(1) does not apply to an application by the person for a protection visa; and (3) who has made a valid application for a protection visa in accordance with the determination. 16 The delegate accepted the appellant had been the victim of politically motivated violence, including rape "by Lanza men for his lower level political activities", but was satisfied that the appellant could relocate within Sri Lanka. The delegate concluded that the appellant had no political profile of any note and did not accept that he was known by name or by sight as a UNP member by any significant political opponents. The delegate did not accept that the appellant had a sufficient profile or political power to threaten Nimal Lanza's position in Sri Lankan political life, or that Nimal Lanza was intent on targeting the appellant. 17 The delegate also found that there was no real chance of serious harm to the appellant as a result of the "data breach". 18 There is nothing in the delegate's decision record suggesting that the material before the delegate included any version of the KPMG report concerning the data breach. 19 On 13 July 2016, the delegate's decision was automatically referred to the IAA for review. 20 On 5 August 2016, the IAA affirmed the delegate's decision not to grant the appellant a protection visa. The IAA rejected the appellant's account of the rape, as well as the appellant's other claims of violence and persecution. The appellant submitted that the rejection rested in the main on inconsistencies discerned in the various versions given by the appellant in addition to what the IAA considered was implausibility attending his account. The appellant complained that his claims were the subject of significantly different factual findings as between the delegate and the IAA, with the IAA not having heard from the appellant, reflecting the diminished "merit review" available to "fast track applicants".

[7]

Appellant's submissions 23 The appellant argued that the FCCA judge erred in concluding that the IAA could review a delegate's decision where the delegate had not accorded the appellant procedural fairness. The failure to accord procedural fairness was described as follows: [T]he delegate failed to provide him with the KPMG report (abridged or unabridged), failed to provide him with sufficient information relating to the breach and failed to apply the presumption considered by the High Court in SZSSJ/SZTSI to have remedied the want of procedural fairness occasioned by the lack of disclosure of the report. 24 The appellant contended that: (1) The application of the assumption identified in SZSSJ at [91]-[92] (set out at [9] above) ("SZSSJ assumption"), that the appellant's personal information had been accessed by the persons or entities from whom the appellant feared persecution or other relevant harm, required "clear language indicating that the delegate was proceeding on the basis that the Lanza group and the Sri Lankan authorities had accessed the information". The delegate's failure to apply the SZSSJ assumption was a breach of common law principles of procedural fairness. (2) By failing to consider whether the delegate denied the appellant procedural fairness, the FCCA judge impermissibly conflated the following two questions: • whether a decision [the delegate's decision] was attended by error as an objective fact relevant to some other legal question to be determined [whether the IAA had jurisdiction to review the delegate's decision]; and • whether the FCCA had power to grant relief. (3) The delegate's denial of procedural fairness means that the delegate's decision was in fact no decision and the IAA therefore had no jurisdiction to embark upon the truncated merits review mandated. (4) The truncated and non-voluntary form of review provided for by Pt 7AA is insufficient to cure a denial of procedural fairness, in contrast to the appeal under consideration in Twist v Randwick Municipal Council [1976] HCA 58; (1976) 136 CLR 106 and the merits review of the Refugee Review Tribunal considered in Yilmaz v Minister for Immigration & Multicultural Affairs [2000] FCA 906; (2000) 100 FCR 495. (5) The FCCA judge relied incorrectly on SZGME v Minister for Immigration & Citizenship [2008] FCAFC 91; (2008) 168 FCR 487 ("SZGME") in support of a general proposition that merits review bodies exercise power over valid and invalid decisions alike. SZGME concerned merits review by the Refugee Review Tribunal, an inquisitorial tribunal whose jurisdiction was invoked by failed applicants and which provided full merits review, in contrast to the fast track process in which the IAA provides "truncated compulsory 'merit' review". (6) The FCCA judge wrongly held (at [11], [12], [29], [35] and [41] of his Honour's reasons) that he was unable to consider whether jurisdictional error (in the form of a denial of procedural fairness) attended the delegate's decision because the FCCA did not have jurisdiction to review that decision.

[8]

Minister's submissions 25 The Minister argued that: (1) The IAA's jurisdiction operates upon the fact of a decision of the kind referred to in s 473CC having been made. The Minister noted that the alleged defect in the delegate's decision was not as to a jurisdictional fact and argued that it "only concerned the asserted relevance of the SZSSJ assumption". (2) The IAA statutory processes in Pt 7AA were capable of "curing" that alleged defect because the IAA could, if it considered it necessary and in the proper exercise of its powers, make the SZSSJ assumption. (3) In SZWAJ, Griffiths J considered a relevantly similar case and rejected the proposition that the procedural fairness obligations to the applicant were affected by the reasoning in SZSSJ, saying (at [26]): It is critical to note that, in the proceeding here, the Data Breach occurred prior to the appellant applying for a protection visa. The processes which then ensued before both the Minister's delegate and the Tribunal provided the appellant with an opportunity to say whatever she wished to say concerning the implications of the Data Breach for her entitlement to protection. Subject to relevant provisions in the Migration Act the statutory processes of considering and determining her application for a protection visa, both by the delegate and on review by the Tribunal, attracted procedural fairness obligations. The appellant did not point to any aspect of those processes which involved procedural unfairness to her. Nor is her case strengthened by her reliance on SZSSJ High Court because of the findings made there concerning the different process which had commenced in respect of the aggrieved persons in those proceedings. (4) Before both the delegate and the IAA, the appellant was able to make submissions about the data breach and, if he had wished at any time prior to the delegate's decision, seek any further information that might assist him about the data breach. Common law principles of procedural fairness did not require the delegate to make the SZSSJ assumption. (5) The IAA did make the SZSSJ assumption, as the primary judge found.

[9]

Consideration 26 The IAA's jurisdiction to review the delegate's decision is only in doubt if there was a denial of procedural fairness by the delegate. The FCCA judge did not decide whether the delegate had denied the appellant procedural fairness, considering that he did not have jurisdiction to do so (at [35]-[42]). The parties did not argue the correctness of the FCCA judge's conclusions on that point, but their submissions put in issue whether the delegate had denied the appellant procedural fairness. In my view, the FCCA judge was not precluded from addressing this question in order to address the argument raised by the appellant about the IAA's power. 27 In my view, the FCCA judge should have concluded that the delegate did not fail to accord the appellant procedural fairness in the fashion contended for by the appellant in accordance with SZWAJ. The appellant had an opportunity, which he availed himself of, to make submissions to the delegate about the implications of the data breach for his claims for protection. The delegate addressed those claims, without reference to the KPMG report. In those circumstances, the appellant was not deprived of any opportunity to address the delegate on any relevant matter. 28 It follows that, in my opinion, the FCCA judge did not err in finding that the IAA had jurisdiction to review the delegate's decision. 29 Accordingly, it is not necessary to consider whether the IAA has jurisdiction to review a decision of a delegate affected by a denial of procedural fairness. In any event, I note that in Plaintiff M174/2016 v Minister for Immigration and Border Protection [2018] HCA 16, the High Court of Australia held that a failure by the delegate to comply with s 57(2) of the Act could not have the consequence that there is no "fast track reviewable decision" capable of referral by the Minister (or his delegate) to the IAA under s 473CA. At [52], Gageler, Keane and Nettle J concluded: The limitations on the form of review for which Pt 7AA provides are in the end insufficient to warrant departure from the Brian Lawlor construction [referring to Collector of Customs (NSW) v Brian Lawlor Automotive Pty Ltd (1979) 24 ALR 307]. Applying that construction, a fast track reviewable decision triggering the operation of the Part and forming the subject of the Authority's review is a decision made in fact to refuse to grant a protection visa to a fast track applicant, regardless of whether or not that decision is legally effective. 30 It follows that the FCCA judge did not err in concluding that the IAA had jurisdiction to review the delegate's decision regardless of any denial of procedural fairness by the delegate.

[10]

Appellant's submissions 31 The appellant argued that the primary judge erred in not finding that the Minister had failed to comply with s 473CB(1) of the Act by not providing the IAA with the "unbridged KPMG report", leading to error by the IAA. Section 473CB(1) provides relevantly: (1) The Secretary must give to the Immigration Assessment Authority the following material (review material) in respect of each fast track reviewable decision referred to the Authority under section 473CA: (a) a statement that: (i) sets out the findings of fact made by the person who made the decision; and (ii) refers to the evidence on which those findings were based; and (iii) gives the reasons for the decision; (b) material provided by the referred applicant to the person making the decision before the decision was made; (c) any other material that is in the Secretary's possession or control and is considered by the Secretary (at the time the decision is referred to the Authority) to be relevant to the review; ... 32 The appellant's argument, which was also made to the FCCA (as set out at [64] and [65] of the FCCA judge's reasons), was: (1) Section 473CB(1)(c) required that the IAA be provided with the details of the data breach as it pertained to the appellant, including by detailing precisely what information relating to the appellant had been disclosed and to whom. (2) This could only have been done by provision of the unabridged version of the KPMG report, and would have enabled the appellant to determine whether he could prove that the Sri Lankan state or the Lanza group had accessed his information. (3) The non-provision of the KPMG report could only have been rendered immaterial if the IAA had adopted the SZSSJ assumption. (4) The FCCA judge held (at [68]-[71]) that the KPMG report was not so critical to the review that it could be said that the Secretary did not discharge his "obligation to form a view" that the report was relevant to the review, purportedly applying SZOIN v Minister for Immigration and Citizenship [2011] FCAFC 38; (2011) 191 FCR 123 ("SZOIN"). (5) The FCCA judge's analysis failed to take into account the nature of the "data breach material" (which I take to be the unabridged version of the KPMG report) and in the circumstances it would not be inferred that the Secretary had lawfully formed the view that the unabridged report was not relevant. The appellant submitted that the reasons in SZSSJ v Minister for Immigration and Border Protection [2015] FCAFC 125 at [118]-[121] are "instructive" in considering whether it would be inferred that the Secretary formed the view that the KPMG report was not relevant.

[12]

Consideration 34 In SZOIN at [54], Bennett and McKerracher JJ held that the objective relevance of a document is not the test to be applied by reason of s 418(3) (which, as the FCCA judge observed, is relevantly similar to s 473CB(1)(c)), "except perhaps in an extreme case where the document was so clearly critical that it could only be inferred that failure to supply it to the Tribunal meant that there was no discharge of the obligation to form a view". 35 The appellant asserted but did not explain why the unabridged KPMG report was "so clearly critical" that the exception identified in SZOIN had application. In particular, he did not explain why it was "so clearly critical" to determine whether he could prove that the Sri Lankan state or the Lanza group had accessed his information. In my view, it was open to the FCCA judge to form the view that the exception identified in SZOIN did not apply for the reasons given by his Honour. 36 Contrary to the appellant's submissions, the FCCA judge was not required to consider whether the Secretary "had lawfully formed the view that the unabridged report was not relevant". 37 In any event, the FCCA judge found that, on a fair reading of the IAA's decision, the IAA had made the SZSSJ assumption which, on the appellant's own argument, rendered the non-provision of the KPMG report immaterial. The IAA decision-maker explicitly addressed the issue of the data breach and found, having regard to the findings of the Full Court in SZSSJ, that he was "open to accepting the possibility the Sri Lankan authorities have accessed" the data breach material. The IAA decision-maker then concluded that: 31. … I do not consider there to be any material significance to the applicant's risk of harm that his personal details were included in the data breach. I consider the Sri Lankan authorities would be able to identify the applicant applied for asylum in Australia from the circumstances of the his [sic] departure from return [sic] to Sri Lanka. 32. I am not satisfied the data breach creates any independent or cumulative real chance the applicant will face serious harm if he is returned to Sri Lanka. 38 In my view, that finding was open to the FCCA judge on the material set out above. 39 Accordingly, I reject the second ground of appeal

At a glance

Court

Decision date

Before

Source

Judgment (13 paragraphs)

Parties

Legislation Cited (2)

Cases Cited (17)