Need to know
- In a groundbreaking judgement, Australian Clinical Labs was ordered to pay $5.8 million in penalties for violations of the Privacy Act
- They would have been much higher had the data breach occurred after 13 December 2022, when penalties went from $2.22 million per contravention to as much as $50 million.
- Similar rulings could be made against Optus and Medibank, which have both been taken to court by the Office of the Australian Privacy Commissioner
In February 2022 the personal medical information of 223,000 people fell into the hands of scammers after the IT systems at Australian Clinical Labs (ACL) were breached.
It was a major cybercrime incident, yet ACL dragged its heels – first by failing to properly investigate whether a data breach had occurred and then by taking too long to inform the Office of the Australian Information Commissioner (OAIC) once the business knew its systems had been infiltrated.
In a recent court judgement – the first of its kind under the Privacy Act – ACL was ordered to pay $5.8 million in penalties for these and other contraventions of privacy legislation.
Most of the penalty ($4.2 million), however, was for failing to protect the data in the first place, something that is expected to become mandatory under the federal government's yet to be rolled out Scams Prevention Framework.
Australian Information Commissioner Elizabeth Tydd calls the unprecedented legal outcome "a notable deterrent and signal to organisations to ensure they undertake reasonable and expeditious investigations of potential data breaches and report them".
The Justice in the case said ACL's negligence "had at least the potential to cause significant harm to individuals whose information had been exfiltrated, including financial harm, distress or psychological harms, and material inconvenience" and could have "a broader impact on public trust in entities holding private and sensitive information of individuals".
ACL penalty could have been a lot higher
Trust in how our data is collected and protected is already low. In September, Privacy Commissioner Carly Kind found that Kmart Australia had breached Australians' privacy by grabbing their personal information without their consent in 28 of its stores through facial recognition technology (FRT), a system ostensibly designed to prevent refund fraud. How safe this data is remains unclear. (The Privacy and Information Commissioners are both part of the OAIC.)
Kmart's secret use of FRT was originally uncovered through a 2022 CHOICE investigation, which also revealed the use of ART at Bunnings and The Good Guys. The Privacy Commissioner recently made a similar ruling against Bunnings, a case that is currently under review by the Administrative Review Tribunal.
The financial penalties against ACL may be just the beginning – and they're on track to get a lot higher
The OAIC did not pursue financial penalties in the Kmart case, but the financial penalties against ACL may be just the beginning – and they're on track to get a lot higher.
In August, Commissioner Tydd launched court proceedings against Optus following a cyberattack in September 2022 that resulted in the personal information of around 9.8 million Australians falling into the hands of criminals.
And in June last year, the OAIC filed a court case against Medibank Private following an October 2022 data breach that saw the sensitive health information of around 9.7 million Australians disappear into the criminal underworld.
The penalties against ACL would have been much higher had the data breach occurred after 13 December 2022, when maximum penalties went from $2.22 million per contravention of the Privacy Act to as much as $50 million. (Alternatively, fines can equal three times the benefit derived from the conduct or up to 30% of a business's annual turnover per contravention.)
Should the Optus and Medibank cases result in financial penalties, they would be determined according to the regime in place before 13 December 2022. But it seems that data breaches aren't going away anytime soon, and whether the threat of higher fines will stop the breaches is an open question.
A turning point for privacy law
Referring to the recent ACL case, Commissioner Kind says "this outcome represents an important turning point in the enforcement of privacy law in Australia. For the first time, a regulated entity has been subject to civil penalties under the Privacy Act, in line with the expectations of the public and the powers given to the OAIC by parliament".
For the first time, a regulated entity has been subject to civil penalties under the Privacy Act, in line with the expectations of the public and the powers given to the OAIC by parliament
Privacy Commissioner Carly Kind
"This should serve as a vivid reminder to entities, particularly providers operating within Australia's healthcare system, that there will be consequences of serious failures to protect the privacy of those individuals whose healthcare and information they hold."
We're on your side
For more than 60 years, we've been making a difference for Australian consumers. In that time, we've never taken ads or sponsorship.
Instead we're funded by members who value expert reviews and independent product testing.
With no self-interest behind our advice, you don't just buy smarter, you get the answers that you need.
You know without hesitation what's safe for you and your family. And our recent sunscreens test showed just how important it is to keep business claims in check.
So you'll never be alone when something goes wrong or a business treats you unfairly.
Learn more about CHOICE membership today
Stock images: Getty, unless otherwise stated.
