Cyber and privacy law update - accountability gets real

The first-ever civil penalty award of $5.8million is one of four recent decisions signalling the OAIC’s enforcement-lead approach.

The Australian privacy landscape has undergone a significant shift, with regulators demonstrating an unprecedented willingness to pursue enforcement action and impose substantial penalties for privacy breaches. Recent decisions by the Office of the Australian Information Commissioner (OAIC) and the Federal Court, including the first ever civil penalty of $5.8M for breaching the Privacy Act, signal new era of accountability for organisations handling personal information.

Privacy reforms: A strengthened regulatory framework

The first tranche of Privacy Act reforms, passed in December 2024, has fundamentally altered the enforcement landscape. The OAIC now wields significantly broadened powers through a new three-tiered civil penalty regime that reflects the seriousness with which Parliament views privacy compliance.

Under the new framework, organisations face escalating consequences for privacy failures. Tier 1 penalties for specified administrative failures allow the Privacy Commissioner to issue infringement notices of up to $330,000 per contravention for corporations and $66,000 for individuals. Tier 2 addresses interferences with privacy that fall short of being 'serious,' with penalties reaching $3.3 million for corporations. Most significantly, Tier 3 penalties for serious interferences with privacy now carry maximum penalties of $50 million, three times the value of any benefit obtained, or 30% of adjusted turnover during the relevant period.

Additional reforms already in effect include requirements for notification of automated decision-making involving personal information, the introduction of technical and organisational measures to protect personal information as a compliance framework, and offences for doxxing. The new statutory tort for serious invasions of privacy is now also in force, allowing individuals to bring damages claims against a wrongdoer where that person intrudes on the ‘individual’s seclusion’ or that person ‘misuses information’ that relates to the individual, which is defined to include collecting, using or disclosing information about the individual (see here for more details).

Understanding APP 11: Data security obligations

Australian Privacy Principle 11 forms the cornerstone of data security obligations under the Privacy Act 1988. APP 11.1 requires that APP entities, which includes businesses and not-for-profits with more than $3M annual revenue, must take 'reasonable steps' to protect personal information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. Additionally, APP 11.2 requires entities to destroy or de-identify personal information in certain circumstances when it is no longer needed.

The concept of 'reasonable steps' is deliberately flexible and dependent on context. What constitutes reasonable protection for a small business holding limited customer contact details will differ significantly from what is required of a healthcare provider managing sensitive medical records for hundreds of thousands of patients. The assessment is always made 'in the circumstances,' taking into account factors such as the sensitivity of the information, the volume of data held, the potential harm if the information were compromised, the size and resources of the organisation, and the current threat environment. Until the recent decision in the Office of the Australian Information Commissioner v Australian Clinical Labs, discussed further below, there has however been no judicial guidance on what 'reasonable steps in the circumstances' required in practice.

APP 11 does not prescribe specific technical measures or security standards. Instead, it requires organisations to assess their particular circumstances and implement appropriate safeguards.

A recent critical enhancement: Technical and organisational measures

The first tranche of privacy reforms in late 224 also introduced a significant enhancement to APP 11, with the concept of 'reasonable steps' now expressly including 'technical and organisational measures' to protect personal information. This amendment, which commenced in December 2024, elevates the importance of APP 11 compliance and aligns Australia's privacy framework with international standards such as the European Union's General Data Protection Regulation (GDPR).

While APP 11 still requires organisations to take 'reasonable steps in the circumstances,' the law now makes explicit what was previously implicit: that data security cannot be achieved through technology alone. When assessing what constitutes reasonable steps, organisations must now demonstrate they have considered and implemented both. 

The ACL case, decided after these reforms commenced, demonstrates that even without the amendments, inadequate organisational measures will attract the same scrutiny and penalties as failures of technical security.

What does 'reasonable steps' mean? Guidance given in the Australian Clinical Labs case

The Australian Clinical Labs (ACL) decision¹ has become the touchstone for understanding APP 11 obligations in the modern cybersecurity environment. On 29 September 2025, ACL agreed to pay a $5.8 million penalty following a 2022 data breach affecting 223,000 customers. The OAIC's successful prosecution alleged serious and systemic failures that left ACL vulnerable to cyberattack, exposing sensitive personal health information.

Under the civil penalty regime, the settlement needed to be approved by the Federal Court to ensure the penalty was legally justified, within the appropriate range and publicly accountable. 

The Court’s decision was delivered by Justice Halley on 8 October 2025. The Court imposed three separate penalties that together illustrate the full spectrum of obligations when handling personal information. ACL was penalised $4.2 million for breaching APP 11 (failure to take reasonable steps in the circumstances to protect personal information), $800,000 for breaching section 26WH(2) (failure to carry out a reasonable and expeditious assessment of whether a data breach had occurred), and $800,000 for breaching section 26WK(2) (failure to make a statement about the data breach setting out specific required information). This breakdown demonstrates that significant penalties can arise not only from the security failures that enable a breach, but also from inadequate response once a breach is discovered. Organisations must have robust incident response capabilities to ensure they can promptly assess breaches and comply with notification obligations under the Notifiable Data Breaches scheme. Importantly, the parties agreed that the breach was sufficiently serious it should have been notified within 2-3 days, and the Court agreed. 

Justice Halley's judgment provides crucial guidance on what constitutes 'reasonable steps' under APP 11.1. The Court found that circumstances requiring consideration include the sensitivity of personal information, potential harm to individuals, the size and sophistication of the organisation, the prevailing cybersecurity environment, and any previous threats or attacks.

The specific deficiencies identified in ACL's security posture included failing to implement application whitelisting to prevent unauthorised programs from running, behavioural-based analysis to detect malicious activities that might evade antivirus products, and the failure to deploy Data Loss Prevention tools on affected systems. Multi-factor authentication was not required for VPN access, and firewall logs were retained for only one hour, limiting security monitoring capabilities.

From a governance perspective, the Court accepted that ACL's incident response playbooks lacked clear role definitions and contained limited detail on containment processes. It further found that testing of incident management procedures had been inadequate following the acquisition of the relevant IT systems and the IT Team Leader responsible for incident response had received no formal cybersecurity training and had never used the incident response playbooks provided. The decision underscores that technical measures alone are insufficient; organisations must also implement robust governance frameworks, training programs, and incident response capabilities.

Another noteworthy aspect of the case is that the findings against ACL involved one part of its business only, which had belonged to Medlabs, an entity purchased by ACL roughly three months prior to the cyber incident. The decision therefore also has important implications for cybersecurity due diligence during M&A activity and the importance of promptly and effectively integrating technology systems post-acquisition.  

Facial recognition technology: Drawing the line

Most recently, on 23 October 2025 the Privacy Commissioner found that online wine wholesaler Vinomofo interfered with the privacy of almost one million individuals by failing to take reasonable steps to protect the personal information it held from security risks which ultimately lead to a data breach.⁴ In particular, the Commissioner founds that Vinomofo could have taken the following steps: 

• additional security logging capability;
• adopting appropriate cloud infrastructure security controls;
• using access monitoring controls to alert the respondent to suspicious or unauthorised activity; 
• implementing and using more robust security policies and procedures; and
• addressing a poor culture of information security awareness and capability.

The OAIC's investigations into Bunnings Group Limited² and Kmart Australia Limited³ have also established clear boundaries around the deployment of surveillance technologies, even when motivated by legitimate business objectives such as fraud prevention and safety.

Between June 2020 and July 2022, Kmart collected personal and sensitive information using facial recognition technology in 28 stores to detect refund fraud. Similarly, between November 2018 and November 2021, Bunnings deployed facial recognition in 68 stores, capturing the faces of all shoppers for comparison against a database of identified risks.

In determinations issued by the Privacy Commissioner in October 2025 and September 2025, both organisations were found to have breached multiple Australian Privacy Principles. Under APP 1, they failed to include information about facial recognition technology in their privacy policies and did not implement adequate practices and procedures for compliance. Under APP 3, they collected sensitive information without consent, as no applicable exception justified the collection. Under APP 5, they failed to take reasonable steps to notify individuals about the collection of their biometric information.

Privacy Commissioner Carly Kind's statement accompanying these determinations articulated a crucial principle: 'Customer and staff safety, and fraud prevention and detection, are legitimate reasons businesses might have regard to when considering the deployment of new technologies. However, these reasons are not, in and of themselves, a free pass to avoid compliance with the Privacy Act.'

The message is clear - organisations must conduct thorough privacy impact assessments before deploying surveillance technologies, obtain genuine consent for the collection of sensitive information, ensure privacy policies accurately reflect data handling practices, and consider whether less intrusive alternatives could achieve the same business objectives.

Practical steps forward

The recent enforcement actions and regulatory reforms require a thoughtful and considered response from organisations handling personal information. Boards and executive leadership should prioritise cybersecurity governance, ensuring that technical and organisational measures are commensurate with the sensitivity and volume of personal information held. Regular testing of incident response procedures, meaningful security awareness training for all staff, and engagement of appropriately qualified cybersecurity personnel are no longer optional.

Before deploying any new technology that collects or uses personal information, organisations must conduct thorough privacy impact assessments and ensure privacy policies accurately reflect actual data handling practices. Where sensitive information is involved, genuine consent must be obtained unless a specific exception applies.

The clear message from recent enforcement action is that accountability in privacy and cybersecurity is no longer aspirational - it is expected, scrutinised, and rigorously enforced. Organisations that fail to prioritise privacy compliance do so at significant financial, legal and reputational risk.

For further information about privacy compliance obligations or assistance with cyber incident response plans, privacy impact assessments and governance frameworks, or please contact our Cyber and Privacy team.

¹ Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224

² Commissioner initiated investigation into Bunnings Group Limited (Privacy) [2024] AICmr 230 (29 October 2024)

³ Commissioner Initiated Investigation into Kmart Australia Limited (Privacy) [2025] AICmr 155 (26 August 2025)

⁴ Commissioner Initiated Investigation into Vinomofo Pty Ltd (Privacy) [2025] AICmr 175 (17 October 2025)