EOFY Sale · Save up to $750 off your legals · Ends 30 June

Claim offer
Selected cases

Federal Court of Australia · [2026] FCA 24

Gao v Australian Information Commissioner

A Federal Court privacy case about a complaint involving an electricity provider, a credit reporting body and the Information...

Federal Court of Australia30 Jan 2026

Plain-English explainers, not legal advice. Check the linked official source before you rely on a specific section, and get advice for your situation.

Get legal help

Start here

Quick read

  • Privacy complaints can be won or lost on evidence and procedure.
  • A Federal Court privacy case about a complaint involving an electricity provider, a credit reporting body and the Information Commissioner's decision not to investigate.

Use this to check

  • Privacy complaint files should show what personal information was collected and why.
  • Credit reporting and customer-account decisions need a clear audit trail.
  • Regulator decisions can later be challenged, so business records may still matter after a complaint closes.

Decision snapshot

  1. 1

    What happened

    • Mr Gao complained to the Australian Information Commissioner that an electricity provider and a credit reporting body had breached the Australian Privacy Principles in the way they collected and handled his personal information.
    • The Commissioner decided not to investigate the complaint.
    • Mr Gao then sought judicial review in the Federal Court, arguing that the decision-making process was legally flawed and should be set aside under administrative law principles.
  2. 2

    What the court had to decide

    • The Court considered whether the Australian Information Commissioner made a reviewable legal error by exercising discretion not to investigate a complaint alleging breaches of the Australian Privacy Principles by an electricity provider and a credit reporting body.
  3. 3

    What the court decided

    • The Federal Court dismissed the judicial review application.
    • The Court was not satisfied that the applicant had established a material reviewable error in the Commissioner's decision not to investigate the privacy complaint.

Practical impact

Practical read

  • Privacy complaints can be won or lost on evidence and procedure.
  • Businesses handling customer or credit information should keep records that show what data was collected, why, who received it and how the complaint was assessed.

Useful next steps

  • Privacy complaint files should show what personal information was collected and why.
  • Credit reporting and customer-account decisions need a clear audit trail.
  • Regulator decisions can later be challenged, so business records may still matter after a complaint closes.
  • A procedural judicial review is different from a final finding that a business breached privacy law.
  • Keep privacy notices, consent records and customer account changes together.

Practical read

This is not a damages case against a business. It is a judicial review case about the Information Commissioner's decision not to investigate a privacy complaint. Still, it is useful for businesses because it shows how privacy disputes can become evidence-heavy and procedural.

The Court dismissed the application. The issue was not whether every privacy concern was commercially sensible or whether the customer was upset. The question was whether the Commissioner made a reviewable legal error in deciding not to investigate.

For businesses, the practical point is to keep a clean privacy file. If a customer challenges how personal information or credit information was handled, the business should be able to show collection notices, account records, credit reporting steps, complaint correspondence and the reason for each decision.

Checks to run

Key points

  • Keep privacy notices, consent records and customer account changes together.
  • Record when and why personal information is sent to a credit reporting body or other third party.
  • Give privacy complaints a central owner and written decision record.
  • Separate factual records from opinions or informal internal comments.
  • Check Privacy Act and credit reporting obligations before rejecting a customer complaint.

Key takeaways

  • Privacy complaint files should show what personal information was collected and why.
  • Credit reporting and customer-account decisions need a clear audit trail.
  • Regulator decisions can later be challenged, so business records may still matter after a complaint closes.
  • A procedural judicial review is different from a final finding that a business breached privacy law.

Related topics

Privacy & DataConsumer Law & Trading

How Sprintlaw can help

Privacy PolicyRegulatory Compliance