The Australian Information Commissioner’s Federal Court proceedings against Australian Clinical Labs Limited (ACL) represent a significant milestone for privacy law in Australia.
Recent major data breaches have affected millions of Australians, with their sensitive personal information exposed, which in turn has opened them up to the risk of identity fraud and scams. This has created a renewed focus on strengthening the enforcement of the Privacy Act 1988 (Cth) (Privacy Act).
Enabled by newly granted regulatory powers, increased penalties and additional funding, the Commissioner is shifting to a proactive stance.
The Commissioner alleges that ACL contravened section 13G of the Privacy Act. Section 13G provides for a civil penalty where an organisation or government agency covered by the Privacy Act engages in a practice that seriously interferes with an individual’s privacy. The Commissioner is alleging that from May 2021 to September 2022, ACL seriously interfered with its customers’ privacy by failing to take reasonable steps to protect their personal information from unauthorised access or disclosure.
ACL collects and holds the health information of millions of Australians to provide tests through its pathology business. Personal information held includes contact details and copies of Medicare cards and numbers. The Commissioner conducted an investigation of ACL’s privacy practices following a data breach in February 2022 and which ACL notified to the Office of the Australian Information Commissioner (OAIC) in July 2022.
The Australian Government’s Privacy Act Review Report emphasised the rarity of cases involving section 13G. It pointed out the lack of judicial consideration on section 13G and difficulties in identifying when the threshold of ‘serious interference’ had been breached.
The Commissioner has only taken action for civil penalties on one other occasion (against Facebook Inc) and this is the first proceedings in the context of allegations relating to a data breach.
However, currently, the Commissioner is investigating high profile data breaches relating to Optus, Medibank Private and Latitude Financial.
Current proceedings against ACL are being viewed by many as a test case in relation to the interpretation of the legislation and the standards applied. Organisations should be watching closely for any judicial consideration of the reasonable steps to protect personal information from unauthorised access.
With a maximum penalty for a breach of section 13G applicable in this case of $2,220,000 for each contravention (based on the penalty regime applicable at the time of the alleged conduct), it’s not an issue to take lightly.
We are likely to see more activity in this space in future, reflecting the substantially increased maximum penalties which commenced in December 2022 under the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth) (Privacy Enforcement Act).
Under the Privacy Enforcement Act, the penalty for a serious or repeated breach of privacy by a body corporate has been increased to the greater of $50 million or three times the value of any benefit obtained through the contravention. If the value of the benefit obtained cannot be determined, a penalty of 30 per cent of a company’s domestic turnover in the ‘breach turnover period’, for example 12 months from the start of the month in which the offence occurred, or the duration of the contravention, whichever is longer, can be imposed.
The Privacy Enforcement Act also introduced reforms to the Notifiable Data Breach Scheme to provide the Commissioner with new powers to obtain information in relation to an actual or suspected eligible data breach, expand the Commissioner’s powers to assess an entity’s compliance with the Privacy Act to include notification of eligible breaches and require entities to set out the kinds of information involved in an eligible data breach.
Strengthening enforcement of the Privacy Act is one of five key focus areas identified in the Australian Government’s Response to the Privacy Act Review released in September 2023. The Response endorses proposed reforms aimed at enhancing the Commissioner’s powers and regulatory toolkit. This involves introducing a tiered structure to civil penalty provisions, and expanding the scope of orders that the court may impose in civil penalty proceedings.
Agreeing on the need for a strategic organisational review by the OAIC, the Australian Government is working to ensure it is structured to have a greater enforcement focus, which will include consideration of its resourcing requirements.
Going forward, we can expect to see the Commissioner making use of the full range of their new powers to enhance the effectiveness of Australia’s privacy regulator.
Proactive changes made now will help mitigate the costs of system upgrades when the new changes are legislated.
The Response from the government conveys a clear message to businesses, indicating that although the legislation to enact these changes has not been drafted yet, it is anticipated in the near future.
This is important as many of the changes will affect the way organisations structure themselves and the way existing IT systems and information management channels are arranged within businesses. Businesses should embrace the lead time to change and update systems. It is advisable for businesses to use this lead time to proactively adapt and update their systems.
Elizabeth Carroll is Partner at Holding Redlich
The information in this article is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.