Gao v Australian Information Commissioner [2026] FCA 24

This case began with a customer complaint about an attempted electricity account transfer and a related credit check. Mr Peng Gao complained to the Australian Information Commissioner about the conduct of Lumo Energy Australia Pty Ltd and illion Australia Pty Ltd. According to the judgment, the complaint related to an inquiry made to Lumo in November 2021 about transferring an electricity account to Lumo. Lumo then contacted illion to obtain a credit assessment, and the transfer ultimately did not proceed.

The dispute was factually sharp. Mr Gao said he had only made an enquiry and had not authorised Lumo to set up an account, disclose his personal information to a credit reporting body, or trigger the creation of a credit report. He also complained about later emails and account-related communications that he said were inconsistent or unauthorised. His complaint referred to Australian Privacy Principles, credit reporting provisions in the Privacy Act, and also alleged misleading conduct and other wrongdoing.

Lumo’s account, as summarised in the OAIC correspondence reproduced in the judgment, was very different. Lumo said Mr Gao telephoned on 12 November 2021 to set up an electricity account, provided personal details including identification information, asked about the purpose of a credit check, and agreed to that credit check being performed. Lumo also said it made privacy and credit reporting information available on its website and issued a welcome pack that included a notifiable matters statement. The OAIC later obtained a copy of the call recording as part of its preliminary inquiries.

That difference in factual narrative is important for business readers. Many privacy disputes do not begin with a dramatic data breach. They begin with a disagreement about what the customer asked for, what the business understood, and whether the next step in the process was properly explained.

The complaint was not limited to the bare fact that a credit check occurred. Mr Gao alleged a broader pattern of improper collection, disclosure and use of his personal information. The judgment restates his complaint in detail. In substance, he said Lumo had no proper basis to provide his information to illion, that illion should not have established a credit report or client reference in the circumstances, and that later emails about account confirmation, activation and identification requirements were inconsistent with what had actually happened.

The OAIC’s summary of the complaint recorded Mr Gao’s position that he contacted Lumo on 12 November 2021 simply to enquire about transferring his electricity supply, did not agree to become a Lumo customer, did not authorise Lumo to set up a new account, and did not authorise disclosure of his personal information to a credit reporting body. The OAIC summary also recorded his allegation that illion improperly collected his personal information from Lumo and used it to establish a credit report about him.

Against that, the OAIC set out Lumo’s response in considerable detail. Lumo said the call was a sign-up call, not a mere enquiry. It said Mr Gao told Lumo he wanted to sign up an electricity account, provided his full name, date of birth, mobile number, driver licence number, concession card details and email address, and selected billing preferences. Lumo said it explained that an external credit check was required to set up the account, answered Mr Gao’s question about the purpose of the check, and obtained his agreement before proceeding. Lumo also said the credit check result was referred internally because further photographic identification was required to complete the assessment.

For a business owner, this is a familiar kind of dispute. A customer says, "I was only asking questions." The business says, "You were applying for the service and agreed to the next step." When that happens, the practical contest often turns on records, scripts, notices and system-generated communications rather than on broad legal labels alone.

The legal issue before the Federal Court was narrower than the allegations themselves. The Court was not simply deciding afresh whether Lumo or illion had breached the Privacy Act. Instead, the case was a judicial review application under the Administrative Decisions (Judicial Review) Act 1977 (Cth) challenging the OAIC delegate’s decision under s 41(1) of the Privacy Act not to investigate the complaint further.

The judgment says the originating application did not identify formal grounds of review. Even so, the Court recorded that Mr Gao’s affidavits and submissions contended that the OAIC had made errors of law or adopted a wrong approach in deciding that the acts or practices complained of were not an interference with privacy. That distinction matters. Judicial review is concerned with the legality of the decision-making process, not whether the Court would have preferred a different factual conclusion on the underlying complaint.

The proceeding also had a procedural complication. Mr Gao sought orders directed at illion and Lumo, including destruction or de-identification of information, even though they were not respondents to the proceeding as commenced. He filed three interlocutory applications which, in substance, sought to join illion and Lumo as respondents and obtain relief against them. The Court therefore had to deal with both the judicial review application and the attempted expansion of the proceeding into something more directly aimed at the companies.

That is an important point for businesses. A complaint pathway can have several stages. First there is the complaint to the OAIC. Then there may be a court challenge to the OAIC’s decision. But even where the business is not the formal respondent in the court proceeding, the business’s records and conduct can still be central because they informed the regulator’s assessment in the first place.

The result is clear from the orders. Moshinsky J dismissed Mr Gao’s three interlocutory applications and dismissed the originating application for judicial review. The Court also made costs orders in favour of the respondent, with a process for fixing costs on a lump sum basis unless a different costs order was sought by written submission.

The judgment also records a note that the respondent was requested to provide a copy of the reasons to Lumo and draw its attention to paragraph [89]. Because the available reasons are incomplete, it is not safe to make stronger public claims about the significance of that paragraph without the full text.

What can be said confidently is this. The Court did not set aside the OAIC’s decision not to investigate the complaint further. The Court also did not grant the interlocutory relief that would have brought Lumo and illion into the proceeding as respondents in the way Mr Gao sought. So the case remained a challenge to the OAIC decision, and that challenge failed.

Just as importantly, business readers should not overread the outcome. The dismissal of the judicial review application does not, by itself, amount to a broad final court finding on every underlying privacy allegation made against Lumo or illion. The decision was about the lawfulness of the OAIC’s process and decision on the complaint before it.

The judgment gives a useful picture of the kinds of material that can matter in an OAIC complaint and any later court challenge. The Court referred to affidavit material, a court book of relevant documents, email correspondence, and audio files. One annexure was a transcript of the audio recording of the telephone conversation between Mr Gao and Lumo on 12 November 2021. The OAIC had also obtained Lumo’s call recording of that conversation.

The OAIC correspondence reproduced in the judgment shows that the regulator considered the complaint itself, the applicant’s later comments and documents, Lumo’s written response, and supporting material including a credit reporting collection statement. Lumo’s response also included a proposal to resolve the matter by de-identifying personal information it held about Mr Gao and arranging for the credit enquiry to be removed from illion’s records if the applicant agreed. The matter did not resolve on that basis.

For businesses, this part of the case is highly practical. When a complaint is made, the regulator may not be looking only at your privacy policy. It may look at the actual customer journey. That can include the call script, what the staff member said in real time, what the customer asked, what was entered into the system, what notices were available on the website, what was sent in a welcome pack, what SMS messages were issued, and whether later emails accurately reflected the status of the application.

The extract also shows how automated communications can become part of the dispute story. Mr Gao complained about emails from illion and Lumo referring to account creation, confirmation and activation. Whether those messages were system-generated, conditional, preliminary or final may matter less than whether they created confusion when read against the rest of the customer interaction. Businesses should make sure their automated messages match the true status of the customer’s application and any pending verification steps.

Businesses should read this case as a process-and-evidence case, not as a signal that privacy complaints are easy to defeat. The available reasons show that the OAIC made preliminary inquiries, considered the competing accounts, and decided not to investigate further. The Court then dismissed the challenge to that decision. That tells businesses two things.

First, the quality of your records can shape the regulator’s view long before any court becomes involved. If your business uses phone sign-up, online forms, identity verification, credit checks or third-party data providers, you should be able to reconstruct the customer journey clearly. If a customer later says they only made an enquiry, you need evidence showing whether and when they moved into an application process.

Secondly, consistency matters. Your staff script, website wording, privacy notice, credit reporting statement, welcome pack, SMS reminders and follow-up emails should all line up. If one part of the process suggests an account has already been created while another says more identification is still required, that inconsistency can become part of the complaint itself.

This is not limited to energy retail. Similar issues can arise in telecommunications, subscription services, equipment hire, trade accounts, finance-adjacent services and any business that collects identity details and checks creditworthiness before supplying goods or services on terms. The practical question is always the same: if a regulator asked tomorrow exactly what happened, could your business prove it with contemporaneous records?

A useful way to apply this case is to audit your onboarding process from first contact to approval, decline or cancellation. Focus on the points where personal information is collected, where a customer may move from enquiry to application, and where information is disclosed to a third party such as a credit reporting body.

Ask whether your process would make sense to an outsider reading it months later. Could a regulator tell from your records what the customer asked for, what your staff explained, and why a credit check was run? Could you show what notices were available at the time and what documents or messages were actually sent? Could you explain any automated account creation or activation emails in a way that matches the real operational status of the application?

Businesses often have the right documents somewhere, but not in a way that tells one coherent story. A privacy policy may sit on the website, a script may sit in a training manual, and a CRM note may sit in a separate system. If those pieces do not line up, the business can look disorganised even where the underlying process was intended to be compliant.

The judgment is dated 30 January 2026. The complaint to the Australian Information Commissioner was lodged on 9 May 2022. An OAIC delegate wrote on 25 May 2023 indicating an intention not to investigate the complaint further, invited further comments, and another delegate made the final decision on 15 June 2023 not to investigate further under s 41(1) of the Privacy Act. Mr Gao then lodged an originating application for judicial review dated 5 July 2023, which was filed on 14 July 2023. The Court later extended time if and to the extent necessary.

The hearing of the interlocutory applications and the originating application took place on 8 October 2025. The Court dismissed the interlocutory applications and the judicial review application, and made costs orders.

The available reasons are incomplete. Because of that, this page keeps its focus on the procedural story, the orders made, and the practical business reading that can be stated safely from the published material.