The Australian Information Commissioner's Federal Court proceedings against Australian Clinical Labs Limited (ACL) represent a significant milestone for privacy law in Australia.
Recent major data breaches have affected millions of Australians, with their sensitive personal information exposed to the risk of identity fraud and scams. This has created a renewed focus on strengthening the enforcement of the Privacy Act 1988 (Cth) (Privacy Act). The proceedings demonstrate the Commissioner's shift to a more proactive approach, following the granting of new regulatory powers, increased penalties and additional funding.
The Commissioner commenced the proceedings on 3 November 2023, alleging that ACL contravened section 13G of the Privacy Act. Section 13G provides for a civil penalty where an organisation or government agency covered by the Privacy Act engages in a practice that seriously interferes with an individual's privacy. The Commissioner alleges that from May 2021 to September 2022, ACL seriously interfered with its customers' privacy by failing to take reasonable steps to protect their personal information from unauthorised access or disclosure.
ACL collects and holds the health information of millions of Australians to provide tests through its pathology business. Personal information held includes contact details and copies of Medicare cards and numbers. The Commissioner conducted an investigation of ACL's privacy practices following a data breach in February 2022 and which ACL notified to the Office of the Australian Information Commissioner (OAIC) in July 2022.
The rarity of cases relating to section 13G was highlighted in the Australian Government's Privacy Act Review Report, which noted the lack of judicial consideration of section 13G and difficulties in identifying when the threshold of 'serious interference' had been breached. The Commissioner has only taken action for civil penalties on one other occasion (against Facebook Inc) and this is the first proceedings in the context of allegations relating to a data breach. The Commissioner is currently investigating high profile data breaches relating to Optus, Medibank Private and Latitude Financial. The current proceedings may be seen as a test case in relation to the interpretation of the legislation and the standards applied. Organisations will be particularly interested in any judicial consideration of the reasonable steps to protect personal information from unauthorised access.
The maximum penalty for a breach of section 13G applicable in this case is $2,220,000 for each contravention (based on the penalty regime applicable at the time of the alleged conduct). We are likely to see more activity in this space in future, reflecting the substantially increased maximum penalties which commenced in December 2022 under the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth) (Privacy Enforcement Act).
Under the Privacy Enforcement Act, the penalty for a serious or repeated breach of privacy by a body corporate has been increased to the greater of:
- $50 million
- three times the value of any benefit obtained through the contravention
- if the value of the benefit obtained cannot be determined, 30 per cent of a company's domestic turnover in the 'breach turnover period' (i.e. 12 months from the start of the month in which the offence occurred, or the duration of the contravention, whichever is longer).
The Privacy Enforcement Act also introduced reforms to the Notifiable Data Breach Scheme to provide the Commissioner with new powers to obtain information in relation to an actual or suspected eligible data breach, expand the Commissioner's powers to assess an entity's compliance with the Privacy Act to include notification of eligible breaches and require entities to set out the kinds of information involved in an eligible data breach.
Strengthening enforcement of the Privacy Act is one of five key focus areas identified in the Australian Government's Response to the Privacy Act Review released in September 2023. The Australian Government's response endorses proposed reforms to further boost the Commissioner's powers and regulatory toolkit, by introducing a tiered approach to civil penalty provisions, and expanding the scope of orders that the court may impose in civil penalty proceedings.
The Australian Government has agreed that the OAIC should conduct a strategic organisational review to ensure it is structured to have a greater enforcement focus, which will include consideration of its resourcing requirements. Going forward, we can expect to see the Commissioner making use of the full range of their new powers to enhance the effectiveness of Australia's privacy regulator.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.