Australian Information Commissioner v. Australian Clinical Labs Limited (No 2) [2025] FCA 1224
In brief
The Federal Court has ordered Australian Clinical Labs Limited (ACL) to pay a AUD 5.8 million civil penalty in connection with a data breach involving Medlab Pathology Pty Ltd (“Medlab“), which was acquired by ACL in December 2021. This is the first civil penalty proceeding brought by the Australian Information Commissioner (“Commissioner“) in the history of the Privacy Act 1988 (Cth) (“Act“).
The Court assessed the test for “reasonable steps” by organisations to protect personal information, and the delay by ACL in undertaking an eligible data breach assessment and issuing a notification to the Commissioner.
This case marks a shift towards stricter regulatory enforcement and highlights the need for organisations to be diligent in preventing and responding to eligible data breaches.
Click here to access the full alert.
Author
Paul Forbes
Paul Forbes is a partner in the Dispute Resolution group at Baker McKenzie, Sydney. He acts in complex commercial disputes before state, federal and appeal courts in relation to claims for negligence, misleading conduct and other contraventions of trade practices legislation, breach of contract, judicial review, equitable relief, fraud, white-collar crime, data and cyber-security.
Author
Ryan Grant
Ryan Grant is a litigation partner with over 12 years' experience.
Ryan has acted for national and international technology and media companies in relation to disputes in the areas of misleading or deceptive conduct, data protection, data breach, copyright, defamation, including online defamation, and general commercial disputes. Many of these disputes involve issues that have never been litigated in Australia.
Ryan also holds a Bachelor of IT majoring in Software Engineering and Internet Technology and worked as a software developer prior to becoming a lawyer.
Author
Adrian Lawrence
Adrian is the Head of the Firm's Asia Pacific Technology, Media & Telecommunications Group. His practice focuses on advising on online and offline media interests including digital copyright, data and information transfer, content and advertising regulation, consumer protection, defamation, online payment systems and transaction engines, online gambling, website risk minimisation measures, online security and cryptography, securities licensing, and trade marks and domain names.
Author
Simone Blackadder
Simone Blackadder is a senior associate in the Media & Content team at Baker McKenzie, Sydney. She works primarily on litigious matters within the IT, communications, media and defamation fields. Simone assists on a variety of commercial, advisory and litigious matters for a range of clients in the IT, communications, media, pharmaceutical, high end and luxury retail industries, including in relation to privacy, media, contractual, intellectual property and advertising law.
Author
Hannah Stacey
Hannah is an Associate in the Dispute Resolution group at Baker McKenzie, Sydney.
Hannah has established herself as a leading advisor to organisations that have experienced cyber incidents internationally, assisting them to navigate largescale, complex attacks through coordination of forensics, operations, legal, regulatory and law enforcement engagement, communications, insurance and threat intelligence.
