AIC’s Civil Penalty Proceedings Against ACL: A Reminder For All Entities On Updated Penalty Provisions

Written By

julie cheeseman Module
Julie Cheeseman

Partner
Australia

I am a partner in our Sydney office, where I specialise in media and technology disputes and advice.

jonathon ellis Module
Jonathon Ellis

Partner
Australia

I am an experienced litigation and investigations lawyer based in Sydney, leading Bird & Bird's Australian disputes and investigations practice and co-leading our global Defence and Security practice.

As noted in our article, regulation of data has emerged as a key focus for Australian regulators in recent years. Consistent with this, on 3 November 2023, the Australian Information Commissioner (AIC) commenced Federal Court proceedings against Australian Clinical Labs (ACL) in respect of a data breach which occurred in February 2022, alleging that it had ‘seriously interfere[ed] with the privacy of millions of Australians’.

In particular, the AIC alleges that ACL has contravened its obligations in the Privacy Act 1988 (Cth) (Privacy Act) to:

  • take reasonable steps to protect the personal information it holds from unauthorised access, in circumstances where the failure to do so left ACL vulnerable to a cyberattack;
  • carry out a reasonable and expeditious assessment of whether an eligible data breach has occurred within 30 days of becoming aware of it; and
  • notify the AIC of an eligible data breach as…

Full article available on Disputes +

Latest insights

More Insights
Curiosity line yellow background

SG Trade Marks Fast Programme: Accelerated Examination for Local Applications in Singapore

Jun 12 2025

Read More
featured image

Expansion of the definition of product under The Revised Product Liability Directive – the Finnish Perspective

4 minutes Jun 10 2025

Read More
featured image

4 Things to Know About Australia's New Statutory Tort of Privacy

5 minutes Jun 10 2025

Read More