AIC’s Civil Penalty Proceedings Against ACL: A Reminder For All Entities On Updated Penalty Provisions
Written By
Partner
Australia
I am a partner in our Sydney office, where I specialise in media and technology disputes and advice.
Senior Associate
Australia
I am a senior associate in our Dispute Resolution Group in Sydney, specialising in media and technology disputes, commercial litigation and privacy and cybersecurity advisory work.
Partner
Australia
I'm a dispute resolution and regulatory investigations partner in our Sydney office. I work with clients to solve complex issues facing their businesses, whether that is a commercial dispute or engagement with regulatory agencies.
Related
Practices
- International Dispute Resolution
- Privacy and Data Protection
- Data Privacy Litigation
- M&A Post Completion - Data Protection Integration and Gap Closing
Sectors
Regions
Countries
As noted in our article, regulation of data has emerged as a key focus for Australian regulators in recent years. Consistent with this, on 3 November 2023, the Australian Information Commissioner (AIC) commenced Federal Court proceedings against Australian Clinical Labs (ACL) in respect of a data breach which occurred in February 2022, alleging that it had ‘seriously interfere[ed] with the privacy of millions of Australians’.
In particular, the AIC alleges that ACL has contravened its obligations in the Privacy Act 1988 (Cth) (Privacy Act) to:
- take reasonable steps to protect the personal information it holds from unauthorised access, in circumstances where the failure to do so left ACL vulnerable to a cyberattack;
- carry out a reasonable and expeditious assessment of whether an eligible data breach has occurred within 30 days of becoming aware of it; and
- notify the AIC of an eligible data breach as soon as practicable after the entity is aware of reasonable grounds to believe it has occurred.
In late 2022, the maximum civil penalty applicable to body corporates for serious or repeated breaches of privacy under the Privacy Act was increased (see our article here) to an amount not more than the greater of:
- AU$50 million;
- if a court can determine the value of the benefit obtained – 3 times the value of that benefit; and
- if a court cannot determine the value of that benefit – 30% of the body corporate’s adjusted turnover during the breach turnover period.
Given that ACL’s alleged conduct occurred prior to these increased penalty provisions, they will not be applicable to ACL should the Federal Court determine ACL contravened the Privacy Act as alleged by the AIC. However, the increased penalties will apply to any organisation who is found to have contravened section 13G of the Privacy Act in relation to conduct occurring on or after December 2022.
APP entities should also be aware that the Australian Government’s response (Response) to the Attorney General’s report which proposed a series of reforms to the Privacy Act (see our article here) agreed with the proposals to strengthen privacy enforcement, including:
- creating tiers of civil penalty provisions, by introducing a:
- mid-tier civil penalty provision to cover interferences with privacy that do not meet the threshold of being ‘serious’; and
- low-level civil penalty provision for administrative breaches of the Privacy Act, in respect of which the AIC is empowered to issue infringement notices with set fines;
- expanding the AIC’s enforcement powers; and
- granting powers to the Federal Court, Federal Circuit Court and Family Court to make any order they see fit after a civil penalty relating to an interference with privacy has been established.
Given the Office of the AIC was granted additional funding for enforcement in the 2023-24 budget (see our article here), we expect further regulatory action in this space.