Bilal v Australian Information Commissioner [2026] FCA 376

This case started with a straightforward access request. In February 2025, Ali Bilal asked The Procare Group Pty Ltd for access to all personal information it held about him. He followed up in March 2025. Procare refused. The Court recorded that Procare said the information had been collected or handled on behalf of EML NSW, an agent for Insurance and Care NSW, and that Procare said it was exempt from the Australian Privacy Principles in that situation because it was acting under a contract for EML and was a contracted service provider for a State contract.

Mr Bilal tried again a few days later and was refused again. He then lodged a complaint with the Office of the Australian Information Commissioner on 24 April 2025. His complaint was not vague. He asked the Commissioner to investigate Procare's refusal, declare that a serious interference with privacy had occurred, require Procare to provide complete access to all personal and health-related information held about him, investigate whether Procare had used the same reasoning in other cases, and award him damages.

The OAIC acknowledged the complaint on the same day and said a staff member would contact him about next steps. In the complaint form, Mr Bilal had nominated email as his preferred contact method and had not provided phone or mobile details. According to the judgment, there was then no further contact for about four months.

On 22 August 2025, the OAIC delegate emailed Mr Bilal saying an attempt had been made to contact him that day but he could not be reached. The delegate then declined to investigate the complaint under s 41 of the Privacy Act. The email said Mr Bilal claimed the respondent had interfered with his privacy by not deleting his account and personal data. That description was central to the case because it was wrong. The complaint was about refusal to provide access to information, not refusal to delete information.

The most important point for business readers is that this was not a final ruling on the underlying privacy entitlement. The Federal Court was not deciding whether Procare was right or wrong to refuse access. It was deciding whether the Australian Information Commissioner lawfully exercised the power under s 41 of the Privacy Act to decline to investigate the complaint.

That distinction matters. Judicial review is about legality of decision-making. The Court asks whether the decision-maker used the right power, asked the right question, took the right process and complied with procedural fairness. It does not simply substitute its own view on the merits of the original privacy dispute.

Here, the Commissioner had already conceded that the delegate's decision was affected by error and should be set aside. But the parties still disagreed about how the error should be characterised and what relief should follow. The Commissioner argued the problem was essentially that the delegate assumed AFCA was an appropriate external dispute resolution scheme without first making inquiries to justify that conclusion. Mr Bilal pressed a broader point. He said the OAIC had not dealt with the complaint he actually made and had denied him natural justice.

Justice Stewart said it was unnecessary to spend much time on the narrower debate once there was an obvious and sufficient error on the face of the decision. The delegate had fundamentally misunderstood and misconstrued the nature of the complaint. That alone was enough to set the decision aside.

The central legal issue was whether the OAIC's decision under s 41 of the Privacy Act was authorised by law when the delegate had not dealt with the act or practice actually complained of. Section 41 allows the Commissioner to decide not to investigate an act or practice about which a complaint has been made. The Court held that this power is miscarried if the decision-maker declines to investigate some other act or practice instead.

That is exactly what happened here. Mr Bilal's complaint was about refusal to provide access to personal and health information. The delegate treated it as a complaint about failure to delete an account and personal data. The Court described this as a fundamental misunderstanding and misconstruction of the complaint.

The Court also had to decide whether procedural fairness applied before a complaint could be declined under s 41. Justice Stewart held that it did. A decision not to investigate can adversely affect a complainant's rights as an individual, including the right to have the complaint investigated under s 40, and there was nothing in the Privacy Act showing a legislative intention to exclude procedural fairness.

On the facts, the applicant had not been given an opportunity to make submissions on whether the complaint should be declined, particularly on whether it was suitable for referral to an external dispute resolution scheme. That omission was material because the decision could realistically have been different if he had been able to correct the Commissioner's misconception.

The Federal Court set aside the OAIC decision dated 22 August 2025 and referred the complaint back to the Commissioner for decision according to law. The Court also declared that the respondent's conduct in failing to afford procedural fairness before making the s 41 decision was unlawful. The Commissioner was ordered to pay the applicant's costs.

Justice Stewart held that the delegate had fundamentally misunderstood the complaint. Because s 41 concerns declining to investigate the act or practice complained of, it was a misuse of the power to decline to investigate a different issue. That was enough to justify setting the decision aside under the Administrative Decisions (Judicial Review) Act 1977 (Cth).

The Court separately held that procedural fairness applied to a decision under s 41. The applicant had not been given any opportunity to be heard before the complaint was declined, especially on the question whether AFCA was an appropriate alternative forum. The Court found that this was a material error because the decision could realistically have been different if the applicant had been able to correct the misconception about the complaint and the alternative process.

But the Court did not give the applicant everything he asked for. He wanted the Court to direct that the complaint not be declined under s 41 and instead be determined under s 52. The Court refused. It said that would wrongly limit the Commissioner's statutory power in advance. Parliament had given the Commissioner authority to decide whether there was a lawful basis to use s 41, and the Court would not pre-empt that future decision. The Court also refused to declare that the complaint was valid because that point was not actually in dispute and the remittal already dealt with the practical consequence.

Although the respondent in this case was the Australian Information Commissioner, the commercial setting is familiar. Many businesses hold information through layered arrangements: outsourced claims handling, health administration, software support, labour hire, payroll processing, customer service outsourcing, and government-linked service delivery. In those settings, a business may say it is acting for another entity, that another organisation controls the records, or that a different complaint body is the better forum. Those positions may sometimes be correct, but they need to be precise.

The first practical lesson is to identify the request accurately. Access, correction, deletion and complaint escalation are different things. If a person asks for access to personal information, your response should address access. If you answer a different question, the dispute can become harder to resolve and more vulnerable to challenge.

The second lesson is to document who holds the information and in what capacity. If your business says it collected or handled information on behalf of another entity, your records should show the relevant relationship, the role each entity plays, and why that matters under the applicable privacy framework. A broad statement that you are only a service provider may not be enough if the request, complaint or regulator asks more specific questions.

The third lesson is to be careful when pointing to another forum. If you say a matter belongs with AFCA or another recognised scheme, that should be based on the actual complaint and a proper understanding of whether that forum can deal with it. A referral pathway that is assumed rather than checked can create delay and legal risk.

The fourth lesson is procedural. If a complaint process is underway, accuracy in correspondence matters. Misdescribing the complaint can shape the whole decision-making chain. Even where your business is not the decision-maker, your own submissions, records and communications may influence how the issue is characterised.

This judgment is a reminder that privacy disputes are often won or lost on documents and conduct before the substantive issue is ever resolved. The Court paid close attention to the original request, the wording of the complaint, the preferred contact details provided in the webform, the four-month period with no contact, and the wording of the delegate's email. Those details mattered because they showed the complaint had been framed one way and decided another way.

For businesses, that means operational discipline is important. Keep copies of the request, the refusal, any explanation of exemptions or contractual roles, and any later complaint correspondence. If your business uses templates, make sure they are specific enough to match the actual issue. Generic wording can create confusion, especially where the person is asking for access to health or other sensitive information.

The case also shows that communication method can matter. Mr Bilal nominated email as his preferred contact method and left phone fields blank. The delegate later referred to an attempted contact on the day of the decision. The Court did not treat the four-month period itself as unreasonable delay, but it did find procedural fairness had been denied because the applicant was not given an opportunity to be heard before the complaint was declined. In practical terms, businesses should not assume a single attempted contact, especially by a different method, will always be enough where an important decision is about to be made.

The key dates help explain the procedural context. The access request was made in February 2025, followed by a further enquiry in March 2025. The OAIC complaint was lodged on 24 April 2025. The delegate declined to investigate on 22 August 2025. Judicial review proceedings were then commenced on 17 September 2025. The Federal Court delivered judgment on 2 April 2026.

The current legal significance of the case is narrow but important. It stands as authority that a s 41 decision can be set aside where the Commissioner misunderstands the complaint and where procedural fairness is not afforded before declining to investigate. It should not be read as deciding the underlying merits of the access request or as ruling generally on whether a service provider in Procare's position was exempt from the Australian Privacy Principles.

This page is based on the Federal Court's reasons in Bilal v Australian Information Commissioner [2026] FCA 376, delivered by Stewart J on 2 April 2026. The judgment concerns judicial review of an OAIC decision under s 41 of the Privacy Act 1988 (Cth), together with relief under the Administrative Decisions (Judicial Review) Act 1977 (Cth).

The case should be read as an administrative law and procedural fairness decision in the privacy complaint context. It is not a final determination of whether the original refusal of access by Procare was lawful, and it does not resolve the broader privacy obligations of all service providers operating under State or government-linked contracts.