A Turning Point In Privacy Enforcement

By Devanshi Patel, Law Graduate, and Michael Finney, Director, Bennett & Philp Lawyers

As we have reported previously, the Privacy and Other Legislation Amendment Bill 2024 (Cth) (now known as the Privacy and Other Legislation Amendment Act 2024 (Cth) (Privacy Amendment Act) after receiving Royal Assent on 10 December 2024) sought to implement the first tranche of sweeping Australia's privacy reforms, which were designed to enhance and strengthen privacy laws, including an effort to bring the Australian laws more into line with the likes of the European GDPR.

Although the Privacy Amendment Act did not implement many of the more substantive proposals from an individual rights perspective, it did make material changes to the Privacy Act 1988 (Cth) (Privacy Act) penalties regime and the breadth of orders that can be made by the Federal Court under the Privacy Act. The Act introduced a new tiered civil penalty process with medium-level and low-level penalties effective from 11 December 2024 and compulsory 'compliance notices'that can be issued by the OAIC. In addition to these penalties, the Privacy Amendment Act allows the Federal Court to make a wide variety of orders for these contraventions. Orders made by the Court may now include orders to engage or refrain for engaging in certain activities, paying compensation for loss to an individual, and publishing statements about the contravention.

Given that many businesses had previously understood that the penalty enforcement regime was rarely used by the Privacy Commissioner and that a civil penalty under the Privacy Act was quite a remote possibility given interferences with privacy needed to be serious, it is perhaps not surprising that complacency in the cyber security practices of many organisations had long been the norm. However, the strengthened enforcement tools now available to the privacy regulator and the widened orders available for breaches in the Federal Court have been expected to provide an important reminder to all APP entities¹ that they must remain vigilant in securing and responsibly managing the personal information they hold.

The first civil penalties have now been ordered under the Privacy Act 1988 (Cth) by the Federal Court on 8 October 2025 handing down a landmark decision² that has signalled the Courts willingness to ensure organisations undertake reasonable and expeditious investigations of potential data breaches and report them to the Office of the Australian Information Commissioner appropriately. Australian Clinical Labs (ACL) was ordered to pay $5.8 million in civil penalties due to a significant data breach by its Medlab Pathology business in February 2022, which left sensitive personal and health information exposed.

Australian Information Commissioner, Elizabeth Tydd, welcomed the Court's orders, stating "Entities holding sensitive data need to be responsive to the heightened requirements for securing this information as future action will be subject to higher penalty provisions now available under the Privacy Act".

In its judgement, the Federal Court held that ACL failed to:

• take reasonable steps to protect personal information by ACL on Medlab Pathology's IT systems in accordance with Australian Privacy Principle 11.1;
• carry out a reasonable and expeditious assessment where there were reasonable grounds to believe that there had been an eligible data breach following the cyberattack on the Medlab Pathology IT systems in February 2022 in contravention of s 26WH(2) of the Privacy Act;
• prepare and give to the Australian Information Commissioner, as soon as practicable, a statement concerning the eligible data breach, in contravention of s 26WK(2) of the Privacy Act (having become aware of the data breach on 16 June 2022 but only notifying the Commissioner of the breach on 10 July 2022), and

Justice Halley also found that:

• 'ACL's most senior management were involved in the decision making around the integration of Medlab's IT Systems into ACL's core environment and ACL's response to the Medlab Cyberattack, including whether it amounted to an eligible data breach.'
• 'ACL's contraventions ... resulted from its failure to act with sufficient care and diligence in managing the risk of a cyberattack on the Medlab IT Systems'
• 'ACL's contravening conduct ... had at least the potential to cause significant harm to individuals whose information had been exfiltrated, including financial harm, distress or psychological harms, and material inconvenience.'
• 'the contraventions had the potential to have a broader impact on public trust in entities holding private and sensitive information of individuals.'

In December 2002, we reported that substantially increased maximum penalties had commenced which for a serious or repeated breach of privacy by a body corporate were increased to the greater of:

• $50 million
• three times the value of any benefit obtained through the contravention
• if the value of the benefit obtained cannot be determined, 30 per cent of a company's domestic turnover in the 'breach turnover period'

However, at the time of the contraventions in this ACL matter (prior to the 2022 amendments to the Privacy Act), the maximum civil penalty was prescribed as up to 2,000 penalty units and the value of a penalty unit was $222. Section 82(5)(a) of the Regulatory Powers (Standard Provisions) Act 2014 (Cth) provides that the pecuniary penalty for a body corporate must not be more than five times the pecuniary penalty specified for the civil penalty provision. Therefore, the maximum penalty that could be imposed under the penalty regime which was in force at the time of the ACL contraventions, was $2.22 million per contravention.

Based on the penalties in force at the time of the relevant breaches, Justice Halley cited a total maximum penalty for those breaches of $495,060,000,000. However, His Honour held that the agreed penalty of $5.8 million fell within the range of permissible penalties to achieve specific and general deterrence, and appropriately took into account the fact that the breaches all stemmed from a single incident, and mitigating factors such as the absence of any deliberate misconduct and ACL's active steps to improve its cybersecurity following the investigation.

The penalty ordered in this case signals that the Federal Court is prepared to enforce penalties where entities fall short of their cybersecurity obligations - even where the breach results from external malicious attacks rather than deliberate misconduct. This is a marked shift from prior practice, where civil penalty enforcement was rarely pursued.

Organisations should take this outcome as a clear warning: privacy compliance cannot be treated as optional or static, and the law requires immediate action and a roadmap for future privacy compliance. Proactively reviewing privacy practices and policies is a fundamental starting point to ensure they are compliant, particularly around adequacy of the information contained in privacy policies, data breach response plans, collection statements as well as direct marketing and consent collection mechanisms.For organisations that regularly collect or amass personal information, it is critical to consider your organisation's conduct in light of the possible risk of serious invasions of privacy, the potential litigation threat this may pose and how new and mitigating practices could reduce that risk.It is also important for organisations to consider introducing regular and comprehensive staff training on privacy and cyber risks, and additional organisational measures to ensure security.

Although the Privacy Amendment Act may have been a missed opportunity to tackle all of the 116 recommendations contained in the Attorney General's Privacy Act Review Report of 2022,³ the Attorney-General's Department has indicated it will continue consulting on the second tranche of privacy reforms to which the Government has agreed or agreed in principle.These could include the removal or reduction of both the employee records exemption and small business exemption, expanded individual rights such as the right to erasure, and the controller/processor distinction to mirror the GDPR.

Should the second tranche incorporate the remaining reforms, this may facilitate the transfer of data from the EU to Australia without the need for additional safeguards permitting Australia to be re-assessed for an 'adequacy decision' from the EU.

Bennett & Philp lawyers can help you understand your privacy obligations and update your systems today. Contact usfor an obligation free discussion on your business needs.

Footnotes:

¹ Any agency or organization subject to the Australian Privacy Principles (APPs) under the Privacy Act.

² Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025]FCA 1224.

³ https://www.ag.gov.au/sites/default/files/2023-02/privacy-act-review-report_0.pdf.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.