AIC’s Civil Penalty Proceedings Against ACL: A Reminder For All Entities On Updated Penalty Provisions
Written By
Partner
Australia
I am a partner in our Sydney office, where I specialise in media and technology disputes and advice.
Senior Associate
Australia
I am a senior associate in our Dispute Resolution Group in Sydney, specialising in media and technology disputes, commercial litigation and privacy and cybersecurity advisory work.
Partner
Australia
I'm a dispute resolution and regulatory investigations partner in our Sydney office. I work with clients to solve complex issues facing their businesses, whether that is a commercial dispute or engagement with regulatory agencies.
Related
Practices
- International Dispute Resolution
- Privacy and Data Protection
- Data Privacy Litigation
- M&A Post Completion - Data Protection Integration and Gap Closing
Sectors
Regions
Countries
As noted in our article, regulation of data has emerged as a key focus for Australian regulators in recent years. Consistent with this, on 3 November 2023, the Australian Information Commissioner (AIC) commenced Federal Court proceedings against Australian Clinical Labs (ACL) in respect of a data breach which occurred in February 2022, alleging that it had ‘seriously interfere[ed] with the privacy of millions of Australians’.
In particular, the AIC alleges that ACL has contravened its obligations in the Privacy Act 1988 (Cth) (Privacy Act) to:
- take reasonable steps to protect the personal information it holds from unauthorised access, in circumstances where the failure to do so left ACL vulnerable to a cyberattack;
- carry out a reasonable and expeditious assessment of whether an eligible data breach has occurred within 30 days of becoming aware of it; and
- notify the AIC of an eligible data breach as…
