Privacy, Data Protection & Information Management

Australian Clinical Labs fined AU$5.8 Million for 2022 Medlab Data Breach in an Australian First

Oct 10 2025

The Federal Court has ordered Australian Clinical Labs (ACL) to pay AU$5.8 million in civil penalties following a 2022 data breach involving its then-newly acquired Medlab Pathology business. The breach affected over 223,000 individuals whose data was accessed and infiltrated by malicious actors and is one of Australia’s most significant healthcare cyber incidents.

This marks the first time civil penalties have been imposed under the Privacy Act 1988 (Cth), setting a critical precedent for privacy enforcement in Australia.

ACL was found to have breached several obligations and was fined:

AU$4.2 million for failing to take reasonable steps to secure personal information (APP 11.1), with over 223,000 contraventions of s 13G(a).

AU$800,000 for not conducting a timely and adequate assessment of whether the breach was an “eligible data breach” under s 26WH(2).

AU$800,000 for delays in notifying the Commissioner about the breach (s 26WK(2)).

Justice Halley described the breaches as “extensive and significant,” highlighting failures in senior management oversight, risk management, and the potential for serious individual harm. Although ACL cooperated, admitted liability, and began improving cybersecurity, the ruling is a warning to organisations handling sensitive information to have robust and compliant breach response processes.

With penalties having increased since ACL’s breach, now up to AU$50 million per breach, this case signals a turning point in privacy enforcement in Australia and sends a clear message: serious privacy failures will come with serious consequences.

Key Lessons

Plan ahead: Delays in assessing and reporting breaches were penalised. Legal, cybersecurity, and privacy teams must align to ensure incident response frameworks are ready.

Cyber due diligence: Poor IT integration during ACL’s acquisition of Medlab was noted. Acquirers must conduct thorough data and cyber due diligence, especially when sensitive personal information is involved.

Regulatory pressure is rising: This case used the old (lower) penalty regime. Under current laws, boards and executives face even greater accountability.

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

New Zealand Privacy Law Amendment Act Passes

Oct 08 2025

By: Rob Pulham, Cameron Abbott, and Maryam Ahmed

Not to be outdone by its regional peers, New Zealand updated its privacy laws with the passing of the Privacy Amendment Act 2025 (the Act) last month: see the NZ Privacy Commissioner’s media release here.

Australian Privacy Law Reform Tranche 2: The Time for Conversation is Over

Aug 26 2025

By: Cameron Abbott, Rob Pulham, and Stephanie Mayhew

Tranche 2 of the Australian Privacy Act reforms is expected soon (perhaps imminently), following comments from the new attorney general in the media that suggested the time for conversation and for lobbying is over. The attorney general noted in an interview last month on Sky News that the highly anticipated “second tranche” of Australian privacy law reform is coming, saying “Australians are sick and tired of their personal data being exploited” and “not being protected,” and that “we will not have our privacy reforms dictated by multinational tech giants.”

China’s New DPO Registration Requirement: What You Need to Know

Aug 01 2025

By: Amigo Xie, Dan Wu and Sarah Kwong

On 18 July 2025, China’s Cyberspace Administration (CAC) officially launched its online portal (Portal) for registration of China Data Protection Officers (China DPO). This operationalizes the requirements under Article 52 of the Personal Information Protection Law (PIPL).

UK Data Use and Access Bill Becomes Law

Jun 27 2025

By: Claude-Etienne Armingaud, Thomas Nietsch, Nóirín McFadden, and Sophie Verstraeten

The UK’s major post-Brexit reform of the UK General Data Protection Regulation (UK GDPR), the Data Use and Access Act (DUAA), became law on 19 June 2025.

New EDPB Guidelines: Processing Personal Data on Blockchain

Jun 23 2025

By: Claude-Étienne Armingaud

The European Data Protection Board recently published its draft Guidelines 02/2025, which remain open to consultation until 09 June 2025. Stakeholders in the blockchain industry are encouraged to submit any observations before the finalization of these Guidelines.

Privacy Awareness Week 2025

Jun 23 2025

By: Cameron Abbott, Rob Pulham, Stephanie Mayhew and Emre Cakmakcioglu

In Australia, last week was the 2025 Privacy Awareness Week (PAW), with this year’s theme ‘Privacy – it’s everyone’s business’. Among other things in PAW, the Office of the Australian Information Commissioner (OAIC) produced a Privacy Foundations self-assessment tool, which provides a privacy maturity score on the basis of tenets such as Accountability, Transparency, Collection and Data breach management. The tool, and PAW more broadly emphasise that privacy is not just about compliance, but good business and building trust. NSW, Vic and QLD state governments have each run parallel PAW events.

Pay the Price, Now ‘Fess Up’: Reporting Obligations for Ransomware Payments Are Live

Jun 12 2025

By: Cameron Abbott, Rob Pulham, Stephanie Mayhew, Emre Cakmakcioglu

As of 29 May 2025, the requirement on businesses to report ransomware payments they make has come into effect.

New EDPB Statement on Age Assurance: What You Need to Know

Feb 17 2025

By: Claude-Etienne Armingaud

On 11 February 2024, the European Data Protection Board (EDPB) adopted a new statement on age assurance. This statement, while not legally binding, will guide the enforcement of age-gating methods across the EU. Age assurance refers to the methods used to determine an individual’s age or age range with varying levels of confidence or certainty.

Navigating the Intersection of Data Scraping and Artificial Intelligence–A Global Data Protection Authorities Take

Nov 11 2024

By: Claude-Etienne Armingaud and Anna Gaentzhirt

In alignment with the ongoing concerns from several European data protection authorities publishing guidelines on data scrapping (i.e., the Dutch DPA, the Italian DPA and the UK Information Commissioner’s Office), the Global Privacy Assembly (GPA)’s International Enforcement Cooperation Working Group (IEWG) recently published a Joint statement on data scraping and the protection of privacy (signed by the Canadian, British, Australian, Swiss, Norwegian, Moroccan, Mexican, and Jersey data protection authorities) to provide further input for businesses when considering data.

Catagory:Privacy, Data Protection & Information Management