13 October 2025

A turning point: Federal Court provides guidance in first-ever civil penalty proceeding under the Privacy Act

Written by:John FogartyLuke Callaghan

In the first civil penalty proceeding in the history of the Privacy Act 1988 (Cth) (Privacy Act), the Federal Court has ordered Australian Clinical Labs Limited (ACL) to pay civil penalties totalling AUD5.8 million for contraventions arising from a data breach in February 2022 (Cyberattack). The Cyberattack resulted in the unauthorised access and exfiltration of the personal information of over 223,000 individuals.

In this article, John Fogarty and Luke Callaghan discuss the significant ramifications of the Court's judgment (Judgment),1 in which Justice Halley found that ACL contravened section 13G(a) of the Privacy Act by:

  • failing to take reasonable steps to protect the personal information that it held as required by Australian Privacy Principle (APP) 11.1(b);
  • failing to carry out a reasonable and expeditious assessment of whether an eligible data breach had occurred following the Cyberattack as required under section 26WH(2) of the Privacy Act; and
  • failing to notify the Australian Information Commissioner (Commissioner) about the Cyberattack as required under section 26WK(2) of the Privacy Act.

DLA Piper acted for the Commissioner in this 'first of its kind' proceeding which has provided important guidance on the application of the Privacy Act. Significantly, the Judgment provides clarity on the 'reasonable steps' obligation in APP 11.1(b) and what must be done to assess whether an eligible data breach has occurred. The case also provides a salient warning about the need to promptly notify the Commissioner of an eligible data breach and potentially paves the way for very substantial penalties for contraventions of the Privacy Act.

 

ACL's contraventions

ACL admitted that it had engaged in three separate categories of contraventions.

Personal information contraventions

Under APP 11.1(b), an APP entity must take “such steps as are reasonable in the circumstances” to protect personal information from “unauthorised access, modification or disclosure”. Justice Halley found that, in circumstances where ACL had acquired Medlab Pathology in December 2021, ACL had failed to implement adequate cybersecurity controls, which meant that it did not take reasonable steps under APP 11.1(b) to protect the personal information of approximately 223,000 individuals whose data ACL held on certain Medlab servers.2

In relation to the content of the APP 11.1(b) obligation, given that that provision has not been the subject of judicial consideration, Justice Halley drew on guidance from analogous provisions in the Corporations Act 2001 (Cth),3 but also stated at [50]:

"Textually, APP 11.1(b) provides that an objective standard is to be applied to determine the steps that are required to be undertaken and necessarily the scope of those steps must be informed by the circumstances. There is no reason textually why the circumstances should not be given a broad construction. The circumstances could be expected to include the sensitivity of the personal information, the potential harm to individuals if the information was accessed or disclosed, the size and sophistication of the APP entity, the cybersecurity environment in which the APP entity operates, and any previous threats or cyberattacks made against the APP entity."

His Honour concluded that there were two broad categories of non-compliance with APP 11.1(b) which comprised the personal information contraventions, being:

  • the 'Medlab IT Systems Deficiencies', being a series of cybersecurity deficiencies in the Medlab IT systems which ACL had acquired.4 These included matters such as limited antivirus capabilities, weak authentication measures and limited firewall logging capabilities; and
  • the 'Medlab Cyberattack Response Deficiencies', being a series of deficiencies in ACL's ability to respond to cyber incidents.5 These included matters such as poorly defined roles and responsibilities for incident response efforts, limited security monitoring capabilities and lack of implementation of multifactor authentication.

A question arose in the proceeding about how many contraventions of section 13G(a) could arise from a breach of APP 11.1(b). On one view, a breach of the 'reasonable steps' obligation could only give rise to a single contravention of section 13G(a) with the consequence that the maximum penalty available for such contravention under the penalty regime that was in place at the time of the data breach would be capped at AUD2.2 million. However, Justice Halley was satisfied that a separate contravention of section 13G(a) of the Privacy Act arose in respect of each of the 223,000 individuals whose personal information was held on deficient IT systems. This allowed him to impose the parties' proposed total penalty of AUD4.2 million in respect of these contraventions.

Assessment contravention

Section 26WH(2) of the Privacy Act provides that, if an APP entity is aware that there are reasonable grounds to suspect that there may have been an eligible data breach, but is not aware that there are reasonable grounds to believe that there was an eligible data breach, that APP entity must carry out a "reasonable and expeditious assessment" of whether there are reasonable grounds to believe that the unauthorised access amounted to an eligible data breach and take all reasonable steps to ensure that the assessment is competed within 30 days.

Justice Halley found that, in circumstances where the Cyberattack occurred on or before 25 February 2022, by 2 March 2022, ACL had "subjective knowledge or awareness of circumstances…that were objectively sufficient to establish in the mind of a reasonable person" the requisite reasonable grounds to suspect.6 It did not matter that ACL had received advice from a third-party cybersecurity firm that no data had been exfiltrated,7 given that:

  • the assessment undertaken by that firm was limited and inadequate; and
  • ACL was aware of the limited assessment that had been undertaken, and therefore it was unreasonable for ACL to rely solely on that assessment.8

A penalty of AUD800,000 was imposed in respect of this single contravention of section 13G(a).

Notification contravention

Section 26WK(2) of the Privacy Act provides that, if an APP entity has reasonable grounds to believe that there has been an eligible data breach, it must notify the Commissioner as soon as practicable after becoming so aware.

Justice Halley accepted that it would have been practicable for ACL to have notified the Commissioner within two to three days after forming the requisite state of knowledge (being 16 June 2022 after it received a notification from the Australian Cyber Security Centre about the Cyberattack) but that ACL did not do so until 10 July 2022. His Honour noted that the information to be included in the notification is "not particularly onerous" and that "[t]he notification only needs to provide a description of the data breach, the kind or kinds of information concerned, and recommendations about the steps that individuals should take in response to the eligible data breach".9

A penalty of AUD800,000 was imposed in respect of this contravention.

 

What this means for you

The Privacy Commissioner, Carly Kind has referred to the Judgment as a "turning point in the enforcement of privacy law in Australia."10 The key takeaways are:

1. Possibility for very high civil penalties

The data breach that was the subject of this proceeding occurred when the maximum penalty per contravention was AUD2.2 million. Justice Halley has now confirmed that multiple contraventions can flow from a breach of APP 11.1(b) and the number of contraventions can turn on the number of affected individuals – ie the number of individuals whose privacy was interfered with under section 13G. Cyberattacks and other data breaches that affect large numbers of Australians may now expose the custodians of personal information to very substantial pecuniary penalties.

Notably, in 2022 the maximum penalty under the Privacy Act for a single contravention under section 13G was significantly increased from AUD2.2 million to the greater of:

(a)            AUD50 million;

(b)            if a Court can determine the value of the benefit that the body corporate (and its related bodies corporate) directly or indirectly obtained from the contravention – three times the value of that benefit; and

(c)             if a Court cannot determine the value of that benefit – 30% of the adjusted turnover of the body corporate during the breach turnover period (minimum 12 months) for the contravention.

The proceeding also signals the regulator's desire to take enforcement action to obtain pecuniary penalties that will deter contraventions of the Privacy Act.

2. Clarification of the eligible data breach regime

The Judgment confirms that an APP entity must promptly report eligible data breaches "as soon as practicable" after forming reasonable grounds to believe that a data breach has occurred, and that a period of two or three days would be practicable. Justice Halley also noted that the data breach notification is "not particularly onerous", so APP entities should consider themselves on notice that, if in doubt, it is prudent to notify the Commissioner to avoid the potential for civil penalties.

3. Delegation of an APP entity's duties

Although an APP entity can engage third-party specialists to assist with its response to a cyber incident, unreasonable reliance on that third-party's advice will not protect an APP entity from liability. This means that in-house expertise will typically be required to critically analyse the advice that is being provided and independently assess whether an eligible data breach has occurred.

4. APP entities in high-risk industries are on notice

Justice Halley noted that "ACL was operating in a high cyber threat landscape with a significant cyber risk profile and was aware of that fact".11 APP entities operating in similarly high-risk industries are on notice that they are expected to take steps that appropriately respond to this risk. Providers operating within Australia's healthcare system in particular should take heed of the Judgment. 

5. IT and cyber due diligence is key

The bulk of the contraventions of APP 11.1 stemmed from ACL's acquisition of the Medlab IT Systems. Prior to the acquisition of those systems, ACL's due diligence had not identified the extant vulnerabilities.12 This reinforces that thorough due diligence in any acquisition is critical to identify potential IT and cybersecurity vulnerabilities, which may lead to enforcement risks under APP 11.1.

 

1Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224 (Judgment).
2Judgment at [14], [52] and [53].
3Judgment at [51].
4Judgment at [18].
5Judgment at [53].
6Judgment at [74].
7Judgment at [39] – [47].
8Judgment at [77] and [78].
9Judgment at [88].
10Australian Clinical Labs ordered to pay penalties in relation to Medlab Pathology data breach in first for Privacy Act | OAIC.
11Judgment at [13].
12Judgment at [19].

Key contacts

John Fogarty
Partner
Gowri Kangeson
Gowri Kangeson
Partner
Tim Lyons
Partner
Sarah Birkett
Sarah Birkett
Special Counsel
Luke Callaghan
Senior Associate
Print

Related capabilities

HealthcareLife SciencesLitigation, Arbitration and InvestigationsRegulatory and Government AffairsTechnology and Commercial Transactions