privacy – Cyber Law Watch

Australian Clinical Labs fined AU$5.8 Million for 2022 Medlab Data Breach in an Australian First

Oct 10 2025

The Federal Court has ordered Australian Clinical Labs (ACL) to pay AU$5.8 million in civil penalties following a 2022 data breach involving its then-newly acquired Medlab Pathology business. The breach affected over 223,000 individuals whose data was accessed and infiltrated by malicious actors and is one of Australia’s most significant healthcare cyber incidents.

This marks the first time civil penalties have been imposed under the Privacy Act 1988 (Cth), setting a critical precedent for privacy enforcement in Australia.

ACL was found to have breached several obligations and was fined:

AU$4.2 million for failing to take reasonable steps to secure personal information (APP 11.1), with over 223,000 contraventions of s 13G(a).

AU$800,000 for not conducting a timely and adequate assessment of whether the breach was an “eligible data breach” under s 26WH(2).

AU$800,000 for delays in notifying the Commissioner about the breach (s 26WK(2)).

Justice Halley described the breaches as “extensive and significant,” highlighting failures in senior management oversight, risk management, and the potential for serious individual harm. Although ACL cooperated, admitted liability, and began improving cybersecurity, the ruling is a warning to organisations handling sensitive information to have robust and compliant breach response processes.

With penalties having increased since ACL’s breach, now up to AU$50 million per breach, this case signals a turning point in privacy enforcement in Australia and sends a clear message: serious privacy failures will come with serious consequences.

Key Lessons

Plan ahead: Delays in assessing and reporting breaches were penalised. Legal, cybersecurity, and privacy teams must align to ensure incident response frameworks are ready.

Cyber due diligence: Poor IT integration during ACL’s acquisition of Medlab was noted. Acquirers must conduct thorough data and cyber due diligence, especially when sensitive personal information is involved.

Regulatory pressure is rising: This case used the old (lower) penalty regime. Under current laws, boards and executives face even greater accountability.

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

Australian Privacy Law Reform Tranche 2: The Time for Conversation is Over

Aug 26 2025

By: Cameron Abbott, Rob Pulham, and Stephanie Mayhew

Tranche 2 of the Australian Privacy Act reforms is expected soon (perhaps imminently), following comments from the new attorney general in the media that suggested the time for conversation and for lobbying is over. The attorney general noted in an interview last month on Sky News that the highly anticipated “second tranche” of Australian privacy law reform is coming, saying “Australians are sick and tired of their personal data being exploited” and “not being protected,” and that “we will not have our privacy reforms dictated by multinational tech giants.”

New EDPB Guidelines: Processing Personal Data on Blockchain

Jun 23 2025

By: Claude-Étienne Armingaud

The European Data Protection Board recently published its draft Guidelines 02/2025, which remain open to consultation until 09 June 2025. Stakeholders in the blockchain industry are encouraged to submit any observations before the finalization of these Guidelines.

Privacy Awareness Week 2025

Jun 23 2025

By: Cameron Abbott, Rob Pulham, Stephanie Mayhew and Emre Cakmakcioglu

In Australia, last week was the 2025 Privacy Awareness Week (PAW), with this year’s theme ‘Privacy – it’s everyone’s business’. Among other things in PAW, the Office of the Australian Information Commissioner (OAIC) produced a Privacy Foundations self-assessment tool, which provides a privacy maturity score on the basis of tenets such as Accountability, Transparency, Collection and Data breach management. The tool, and PAW more broadly emphasise that privacy is not just about compliance, but good business and building trust. NSW, Vic and QLD state governments have each run parallel PAW events.

New EDPB Statement on Age Assurance: What You Need to Know

Feb 17 2025

By: Claude-Etienne Armingaud

On 11 February 2024, the European Data Protection Board (EDPB) adopted a new statement on age assurance. This statement, while not legally binding, will guide the enforcement of age-gating methods across the EU. Age assurance refers to the methods used to determine an individual’s age or age range with varying levels of confidence or certainty.

Australian Privacy Law Reform – The Wait is (Almost!) Over

Sep 12 2024

By: Cameron Abbott, Stephanie Mayhew, and Rob Pulham

The long-awaited privacy reform has finally been introduced into the Australian Parliament today with the introduction of the Privacy and Other Legislation Amendment Bill 2024. Described as ‘Tranche 1’ of the reforms, the Bill introduces significant uplifts to several aspects of Australia’s privacy laws.

Privacy Reform Bill Just Around the Corner

Aug 26 2024

By: Cameron Abbott, Rob Pulham, and Lauren Hrysomallis

There appears to be a further delay to the long-anticipated privacy law reform legislation, most recently expected to be unveiled this month. But even with this delay the wait won’t be long; we could see a draft bill introduced in as little as three weeks’ time.

Australian Privacy Reform Series Refresher: What Are These Reforms?

Aug 13 2024

By Cameron Abbott, Rob Pulham, and Stephanie Mayhew

In 2023 the Attorney-General’s Department released the “Privacy Act Review Report” (Review Report), which considered whether the Australian Privacy Act 1988 (Cth) and its enforcement mechanisms are fit for purpose in an environment where Australians now live much of their lives online and their information is collected and used for a myriad of purposes in the digital economy.

Disclosure Obligations for Cyber Ransom Payments: A New Cyber Security Act is Coming

Aug 12 2024

By Cameron Abbott, Rob Pulham, Stephanie Mayhew, Dadar Ahmadi-Pirshahid and Lauren Hrysomallis

A new Cyber Security Act is set to be unveiled in Parliament’s next sitting from 12 August, as reported by the ABC. The proposed Act would require Australian businesses and government bodies to disclose when they make a ransom payment to cybercriminals in the event of a hack, or face penalties of up to AU$15,000 for failing to notify.

Tag:privacy