Privacy penalties – the beginning of a new era
A recent Federal Court decision is a watershed moment for privacy law in Australia. The judgement in Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 is one of many firsts, including:
- the first civil penalty handed down under the Privacy Act 1988 (Cth);
- assessment of Australian Privacy Principle (APP) 11.1(b), being the obligation for entities to take reasonable steps to protect the personal information they hold from unauthorised access, modification, or disclosure; and
- judicial consideration of the requirement to notify the Office of the Australian Information Commissioner (OAIC) ‘as soon as practicable’ after an eligible data breach.
We consider the recent decision and its implications for Australian businesses.
Key takeaways
- This decision was made in the context of the former section 13G of the Privacy Act, which contained a maximum penalty of A$2.2 million for bodies corporate. This has now been increased, meaning most companies in Australia will be exposed to a maximum penalty of A$50 million per contravention.
- Given the size of the maximum penalty and that a penalty may be applied for each individual impacted, there are substantial risks for businesses and insurers alike. Cyber incidents now have the potential to bankrupt even Australia's largest companies. It is imperative to remain proactive in maintaining and uplifting cyber security practices.
- Businesses cannot wholly outsource their cyber and privacy obligations to rely on third-party assessments. They must take responsibility for their own cybersecurity posture.
- In the context of mergers and acquisitions, cyber risk should become a key concern when undertaking due diligence.
- APP entities should carefully consider when to notify the OAIC in relation to an eligible data breach.
Future action will be subject to the higher penalty provisions now in force under the Privacy Act.
Background
Australian Clinical Labs (ACL) is one of the largest private hospital pathology businesses in Australia. In December 2021, ACL acquired Medlab, a pathology business that collected and held personal information and sensitive information in connection with providing health services.
In February 2022, Medlab’s computer assets were the target of a ransomware attack. ACL instructed a computer forensics firm to investigate the incident, who completed a 44.5-hour investigation over a small subset of the impacted computers. Based on the investigation and the lack of evidence of data exfiltration, ACL ultimately formed the view in March 2022 that the incident did not require notification as an eligible data breach to the OAIC or impacted individuals.
On 16 June 2022, the Australian Cyber Security Centre (ACSC) notified ACL that dark web monitoring had identified Medlab data, including personal information, health information, and credit card details, had been published on the dark web. Despite the initial forensic investigation identifying no evidence of data exfiltration, it appeared that approximately 86GB of data had been stolen and published. This impacted dataset included personal information of more than 223,000 individuals. ACL subsequently notified the OAIC of the incident on 10 July 2022.
The OAIC's case and the proceedings
On 3 November 2023, following an investigation into ACL’s compliance with the notifiable data breaches scheme set out in the Privacy Act, the OAIC commenced civil penalty proceedings against ACL.
The OAIC alleged that ACL had committed multiple ‘serious interferences with the privacy of an individual’ as defined in section 13G of the Privacy Act, by reason of the following conduct:
- breaching APP 11.1(b);
- contravening section 26WH(2) of the Privacy Act, which required ACL to carry out a reasonable and expeditious assessment of whether an incident amounts to an eligible data breach, and take all reasonable steps to ensure that the assessment is completed within 30 days; and
- contravening section 26WK(2) of the Privacy Act, which required ACL to notify the OAIC of an eligible data breach as soon as practicable after becoming aware there were reasonable grounds to believe there has been an eligible data breach.
Decision
The OAIC and ACL jointly sought orders for declarations rather than proceeding to a full hearing. The Federal Court approved the proposed pecuniary penalty of A$5.8 million for various breaches of section 13G(a) of the Privacy Act, broken down as follows:
- A$4.2 million for the 223,000 contraventions (representing the number of impacted individuals) arising from breaches of APP 11;
- A$800,000 for the single contravention of s 26WH(2) of the Privacy Act; and
- A$800,000 for the single contravention of s 26WK(2) of the Privacy Act.
ACL was also ordered to pay A$400,000 towards the OAIC’s legal costs of the proceedings.
We set out the Court’s key findings in the table below.
Serious interferences with privacy – section 13G(a) Section 13G, as in force at the time of the cyber incident, establishes a civil penalty framework for ‘serious and repeated interferences with privacy’. An ‘interference with privacy’ is relevantly defined under section 13 to include acts or practices that breach any of the APPs, section 26WH, or section 26WK. On this basis, all of the allegations made by the OAIC, if found to be serious, were capable of giving rise to a civil penalty against ACL.
|
APP 11.1(b) – reasonable steps to protect personal information APP 11.1(b) requires an APP entity that holds ‘personal information’ to take ‘such steps as are reasonable in the circumstances’ to protect personal information from ‘unauthorised access, modification or disclosure’. The Court adopted a broad construction of this obligation, indicating that ‘the circumstances’ could be expected to include:
In ACL’s case, they did not meet the APP 11.1(b) obligation, and this failure was serious, due to (among other things):
|
Breach of section 26WH(2) – carrying out a reasonable and expeditious assessment of a suspected eligible data breach The Court held that ACL failed to carry out a reasonable and expeditious assessment of the suspected eligible data breach after becoming aware of the ransomware incident in February 2022. Despite obtaining professional advice regarding the cause, nature and extent of the cyber incident from a third-party specialist, the forensic assessment involved only a subset of the impacted computers and an inadequate number of assessment hours. In the circumstances, the Court found this assessment was inadequate and it was unreasonable for ACL to rely on it. This breach amounted to a ‘serious’ interference with the privacy of an individual due to:
|
Breach of section 26WK(2) – notifying the OAIC as soon as practicable after an eligible data breach The Court held that from at least 16 June 2022, being the date of the ACSC’s notification of data publication, ACL had reasonable grounds to believe there had been an eligible data breach. On this basis, it was required to notify the OAIC as soon as practicable. The Court accepted ACL’s admission that it was practicable for it to have prepared a notification statement and notified the OAIC within two to three days of the ACSC’s notification. By failing to make a report until 10 July 2022, this amounted to a breach. For the same reasons as found in relation to the breaches of section 26WH(2), this breach amounted to a ‘serious’ interference with the privacy of an individual due to:
|
Number of contraventions For the breaches of APP 11.1(b), the Court held that the statutory context and the wording of the Privacy Act justified a conclusion that ACL had separately contravened section 13G of the Privacy Act for all 223,000 individuals whose personal information was held in the Medlab systems and impacted in the cyber incident. This was particularly because:
This decision was made using the version of section 13G in place at the time of the cyber incident (which has now been amended), which only imposed a maximum penalty of 2,000 penalty units per contravention. At the time of the cyber incident, this was a maximum of A$2.2 million per contravention for body corporates, amounting to a maximum penalty of over A$495 billion for the APP 11.1(b) breaches.
|
Adequacy of penalty Despite the maximum penalty and the judicial criticism of ACL’s cybersecurity posture, the Court held that the agreed penalty of A$5.8 million was appropriate as ACL:
ACL was also ordered to pay A$400,000 towards the OAIC’s legal costs in bringing the proceedings. |
Implications
This decision should serve as a timely reminder to businesses about the importance of ongoing cybersecurity reviews, particularly to minimise the chances of repeated breaches and remain alert to developing cyber risks and industry privacy standards.
This decision was also handed down in the context of the former section 13G of the Privacy Act, which contained a maximum penalty of A$2.2 million for bodies corporate. Under the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth), the maximum civil penalties for bodies corporate were increased to the greater of:
- A$50 million;
- three times the value of the benefit gained from the breach; or
- 30% of the annual adjusted turnover of the entity, if the value of the breach cannot be determined.
The Court’s confirmation that a cyber incident may amount to a contravention for each impacted individual arguably creates an absurd and impracticable level of risk for APP entities. By way of examples, under section 13G of the Privacy Act most companies in Australia will be exposed to a maximum penalty of A$50 million per contravention. A breach impacting 1,000 individuals (which is not a large breach in our experience), means the organisation is facing a maximum potential penalty of A$50 billion. For organisations with a turnover of A$1 billion in a financial year, it is plausible that the maximum penalty will be A$300 million per contravention (and may be higher if the ‘adjusted turnover period’ extends beyond 12 months). If a company of this size experiences a breach impacting 10,000 individuals (not an uncommon number of individuals impacted by a data breach), the maximum penalty is A$3 trillion.
How courts assess the adequacy of fines and penalties for privacy breaches will now require significant attention, as this Court’s decision regarding the number of contraventions means that cyber incidents have the potential to bankrupt even Australia’s largest companies.
In more recent amendments to the Privacy Act in 2024 (discussed in a previous insight), the OAIC was also given expanded powers to commence legal proceedings seeking civil penalties for non-serious interferences with privacy. The maximum penalty per contravention for a body corporate is currently A$3.3 million. Given the potential for compounding penalties per individual impacted and the high maximum penalties, the risk to businesses is significant. More than ever, businesses should be making cyber and privacy compliance a key priority and remain on high alert to address key risks before they become a reality.
For M&A practitioners and prospective purchasers, it should not be ignored that the IT assets that were subject to the ransomware attack previously belonged to Medlab, an entity acquired by ACL only 10 weeks earlier. The Court criticised ACL’s failure to identify the deficiencies in Medlab’s systems prior to acquisition. Cyber risks should be carefully factored into due diligence assessments, as a failure to identify cybersecurity vulnerabilities can amount to a serious interference with privacy.
If you have any questions, please get in touch with Hall & Wilcox’s market-leading cyber and privacy teams to discuss how these changes are likely to impact you or your business.
This article was written with the assistance of Daniel Williams and Charlotte van de Poll.
Contacts
