ARTICLE
2 November 2025

$5.8 Million Privacy Penalty – A First For Privacy Law Enforcement

SF
Spruson & Ferguson

Contributor

Spruson & Ferguson logo
Established in 1887, Spruson & Ferguson is a leading intellectual property (IP) service provider in the Asia-Pacific region, with offices in Australia, China, Indonesia, Malaysia, Philippines, Singapore, and Thailand. They offer high-quality services to clients and are part of the IPH Limited group, which includes various professional service firms operating under different brands in multiple jurisdictions. Spruson & Ferguson is an incorporated entity owned by IPH Limited, with a strong presence in the industry.
Explore Firm Details
The case sets a new enforcement standard for privacy compliance, and provides valuable insights.
Australia Privacy
Mark Vincent,Nadine Martino, and Kelly Guo
Your Author LinkedIn Connections
Mark Vincent’s articles from Spruson & Ferguson are most popular:
  • within Privacy topic(s)
  • with Senior Company Executives, HR and Inhouse Counsel
  • in United States
  • with readers working within the Media & Information and Law Firm industries

A wake-up call for organisations required to comply with privacy laws, the Australian Federal Court's $5.8 million penalty against Australian Clinical Labs Limited (ACL) marks the first civil penalty under Australia's Privacy Act.

The case sets a new enforcement standard for privacy compliance, and provides valuable insights. Regulators now have both the appetite and the judicial support to impose significant penalties, and organisations must act swiftly on breach notifications, maintain internal oversight, and address cyber risks proactively.

Key takeaways

  • Organisations must take proactive, risk-based steps to protect personal information, including robust incident response, internal capability, and not over-relying on third-party providers.
  • Each individual affected by a breach counts as a separate contravention, significantly increasing potential penalties for large-scale incidents.
  • Notification of eligible data breaches must occur within days, not weeks, and delays, even when relying on external assessments, are unacceptable.
  • Acquiring entities immediately inherit privacy and cybersecurity liabilities for acquired systems and data, underscoring the need for thorough due diligence, appropriate SPA treatment for deficient IT security and rapid remediation.
  • Early cooperation with regulators and demonstrable remediation efforts can help reduce penalties, but regulators are now empowered and willing to impose significant sanctions for non-compliance.
  • Penalties in this case were limited by the previous penalty regime, which capped fines at $2.22 million per contravention. Future enforcement actions could impose penalties of up to $50 million, three times the benefit gained, or 30% of annual turnover per contravention.

This decision signals heightened expectations for organisations handling personal information in Australia. In this article, we set out key legal and compliance insights arising from the judgment.

First civil penalty for privacy non-compliance

On 8 October 2025, the Australian Federal Court delivered a landmark decision in Australian Information Commissioner v Australian Clinical Labs Ltd (No 2) [2025] FCA 1224, imposing the first civil penalty ever ordered under the Privacy Act 1988 (Cth) (Privacy Act).

The respondent, ACL, one of the largest private hospital pathology businesses in Australia, acquired Medlab Pathology in December 2021, inheriting its IT systems and sensitive patient data. About two months later, a malicious actor, the "Quantum Group", launched a ransomware attack on Medlab's systems, exploiting critical vulnerabilities and resulting in a major data breach.

The attack resulted in the theft and dark web publication of 86 gigabytes of data, including the personal and health information of over 223,000 individuals.

Penalties imposed on ACL

The Court endorsed agreed penalties totaling $5.8 million for the following contraventions under the Privacy Act:

" $4.2 million - failure to take reasonable steps to protect personal information from unauthorised access, modification or disclosure (APP 11.1)
" $0.8 million - failure to conduct a reasonable and expeditious assessment of whether there were reasonable grounds to believe that the circumstances of the Medlab cyberattack amounted to an eligible data breach (s 26WH(2))
" $0.8 million - failure to notify the Commissioner "as soon as practicable" of the eligible data breach (s 26WK(2))
" $0.4 million - contribution to the Office of the Australian Information Commissioner's (OAIC) costs.

Key legal and compliance lessons

1. "Reasonable steps" - key compliance expectations

"Reasonable steps" under APP 11.1 require proactive, risk-based security measures, including robust incident response planning, continuous monitoring, strong authentication, and clear accountability.

APP 11.1(b) requires an APP entity that holds "personal information" to take "such steps as are reasonable in the circumstances" to protect personal information from "unauthorised access, modification or disclosure" .The Court provided clear guidance on what constitutes "reasonable steps", walking through the deficiencies in the security posture of Medlab IT Systems.

The Federal Court found that ACL did not take "such steps as are reasonable in the circumstances" to protect personal information on the Medlab IT Systems from unauthorised access and disclosure, considering:

  • Business context | Size and nature of ACL's business
  • Data sensitivity | Volume and sensitivity of health and personal information
  • Risk environment | High cybersecurity risks during the relevant period and potential harm to individuals
  • System weaknesses | Existing Medlab IT Systems deficiencies
  • Due diligence gaps | Failure to identify deficiencies before acquisition and delays in remediation
  • Overreliance on third parties | Lack of internal capability to detect and respond to cyber incidents.

Key failings impacting ACL's ability to detect and respond by itself to cyber incidents included ACL's inadequate incident response playbooks, lack of clear roles and responsibilities, insufficient testing of incident management processes, and the absence of "Data Loss Prevention"tools. The Court also noted the lack of application whitelisting, limited communications plans, and inadequate security monitoring, with firewall logs retained for only one hour. Furthermore, Medlab staff were not required to use multifactor authentication for VPN access, and there was no specific data recovery plan.

2. Outsourcing does not remove accountability

The Court made it clear that an organisation cannot simply delegate its privacy compliance obligations to a third party.

The obligation to take "reasonable steps" under APP 11.1 remains with the entity, regardless of third party outsourcing arrangements. As the Court stated, "the obligation has been stated... not to be capable of being discharged simply by delegating it to another entity and doing nothing more" (at [51(b)]).

ACL's overreliance on external service providers, such as StickmanCyber, its third-party cybersecurity services provider, was a key factor in the Court's finding that it failed to take reasonable steps. The Court noted that ACL's "overreliance... on third party service providers and its failure to have in place adequate procedures to detect and respond by itself to cyber incidents" contributed to the breach (at [52]).

Organisations must therefore maintain sufficient internal capability to oversee and respond to cyber risks, even when outsourcing. The decision also underscores the importance of ensuring that contracts with service providers clearly allocate obligations and liability, including prompt notification and action in relation to a data breach, cooperation with investigations, and defined roles and responsibilities for incident response.

3. Each individual breach counts separately

Privacy breaches are assessed on a per-individual basis, meaning large-scale incidents can result in hundreds of thousands of contraventions. Organisations must treat data protection as a critical compliance priority to avoid massive cumulative penalties.

The Court confirmed that "ACL engaged in a separate contravention of s 13G(a) in respect of each of the more than 223,000 individuals" (at [60]), on the basis that the objects of the Act make plain that it is directed primarily at the "protection of the privacy of individuals" - not the acts or practices that might breach the APPs (at [61]). On that basis, each affected individual constituted a separate contravention.

4. Notification as "soon as reasonably practicable" means days not weeks

Notification obligations under the NDB Scheme demand speed and internal readiness. Delays, even when outsourcing assessments, are unacceptable and can lead to serious contraventions.

The Court reinforced that organisations must act promptly and thoroughly when responding to data breaches. The Notifiable Data Breaches (NDB) Scheme, in force since 2018, requires organisations to notify the OAIC as soon as practicable after becoming aware if there are reasonable grounds to believe that there has been an eligible data breach, i.e. one likely to causes serious harm to affected individuals (section 26WK of the Privacy Act).

The Court found that ACL's almost month-long delay in notifying the Commissioner was a serious contravention, noting that "it was practicable for it to have prepared and provided a complaint statement to the Commissioner within two to three days of it becoming aware" of the breach (at [89]).

The Court stressed that the notification requirements are "not particularly onerous and [are] intended to facilitate the provision of the notification as 'soon as practicable'" (at [88]) and that delays undermine the Commissioner's ability to perform statutory functions "of monitoring ACL's notification to individuals whose personal information may have been compromised, providing guidance and information about the impact of the Medlab Cyberattack and engaging with other Government agencies" (at [91]).

The Court criticised ACL's reliance on a limited external assessment by StickmanCyber to conclude that no data was compromised , reinforcing that organisations must ensure their assessments are robust and comprehensive. To comply, organisations should have had a well-developed, regularly tested data breach response plan, ensure staff are properly trained on it to act swiftly and effectively and ensure contracts with service providers support rapid investigations and notification.

5. Acquisitions bring immediate privacy liability

When acquiring a business, cybersecurity and privacy risks transfer on day one. Buyers must plan for rigorous due diligence and rapid remediation to avoid inheriting liability for past deficiencies.

The decision delivers a pointed lesson on risk allocation at completion: "On 19 December 2021, ACL acquired the assets of Medlab Pathology Pty Ltd (Medlab). From the date of acquisition, ACL owned and controlled Medlab's computer and communications hardware, computer and information technology systems, equipment, and software (Medlab IT Systems)".

The Court found that "ACL did not identify certain relevant vulnerabilities in the Medlab IT Systems prior to its acquisition" (at [16]), and that "the cybersecurity controls of the Medlab IT Systems were under the control of ACL from the commencement of the Relevant Period and were deficient from at least the time the assets of Medlab were acquired" (at [123]). In addition, "The Medlab IT Systems Deficiencies, to the knowledge of ACL, exposed the Medlab IT Systems to the risk of a cyberattack during the six-month period in which ACL was integrating them into ACL's core IT network" (at [123]).

The decision makes it clear that, from the moment of completion, the purchaser (ACL) became responsible for the privacy and cyber risks associated with the acquired IT systems and data, including any pre-existing vulnerabilities. To mitigate this risk, organisations should complete thorough pre-completion due diligence, secure robust contractual protections, such as indemnities or price adjustments for uncovered vulnerabilities, and implement immediate post-completion remediation. Failing to do so can leave the purchaser solely exposed to significant compliance and financial consequences.

6. Cooperation can reduce penalties

Regulators may reward early, genuine cooperation and demonstrable remediation efforts. Organisations should act swiftly to strengthen controls, engage openly with regulators, and document all corrective measures to reduce penalty exposure.

The Court considered ACL's contraventions were "extensive and significant" (at [123]), and ACL failed to "act with sufficient care and diligence in managing the risk of a cyberattack" (at [124]), given the nature of the information posted on the dark web, which had at least the potential to cause significant harm to individuals, including financial harm, distress or psychological harm, material inconvenience, and potential to have a broader impact on public trust in entities holding private and sensitive information .

It addition the Court noted that hefty deterrent was warranted for one of Australia's largest private hospital pathology businesses, particularly as senior management was involved in "the decision making around the integration of Medlab's IT Systems into ACL's core environment and ACL's response to the Medlab Cyberattack" (at [127]-[128]).

Yet the Court ultimately accepted the settlement because:

  • ACL gained no financial benefit, had no prior record of misconduct
  • There was no deliberate intent to breach obligations
  • ACL had already embarked on a cyber-uplift program (board-approved in July 2021), which included expanded staff training (from August 2022) and appointment of a full-time Chief Information Security Officer in 2023;early apology by the CEO and admissions, and
  • extensive cooperation with the Commissioner's investigation (including production of some 12,000 documents).

The Court was convinced that the penalty was neither a mere "cost of doing business" nor oppressively severe, but sat within the permissible range to achieve both specific and general deterrence.

Organisations should be mindful that future enforcement could result in significantly higher penalties. The penalties in this case were imposed under the previous regime, however since 2022, the Privacy Act allows for much higher penalties for serious interferences with privacy, up to $50 million, three times the benefit gained, or 30% of annual turnover per contravention.

How we can help

Privacy and cybersecurity continue to be critical governance priorities. Organisations should ensure their policies and processes are in place and fully tested in order to act swiftly on breach notifications and address cyber risks proactively. Now is the time to audit controls, strengthen response plans, and ensure compliance readiness.

If you require assistance in assessing your current controls, reach out to our legal experts who are specialists in data, privacy law and commercialisation. For more information on the team and our brochures, please head to our IP Law services page.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Mark Vincent
Mark Vincent
Photo of Nadine Martino
Nadine Martino
Photo of Kelly Guo
Kelly Guo
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More