I       Nature of Section 90

Section 90 of the Evidence Act 1995 (NSW) (the ‘Evidence Act’) reposes discretion in the court to refuse to admit evidence of an admission provided that the evidence is adduced by the prosecution and, having regard to the circumstances in which the admission was made, it would be unfair to the accused to use the evidence against them. The onus rests on the party seeking exclusion of the evidence (i.e. the accused).[1]

Section 90 is a statutory formulation of the longstanding common law discretion of fairness (commonly referred to as the ‘Lee discretion’) that permitted a trial judge in criminal proceedings to exclude an admission made by an accused if the circumstances in which the admission was obtained would render the use of the admission at the trial unfair.[2]

The courts have emphasised that s 90 is a very broad and nebulous provision. The concept of unfairness under s 90 has been expressed in the ‘widest possible form’ by the legislature.[3] This invests discretion in the courts to consider fairness, public policy and prevailing community standards, as well as the protection of the rights of the accused. As such, section 90 is not confined to specific indicia or priori rules of universal application but is rather a liberal provision vesting latitude in the court to consider all material factors which may render the admission unfair if it were to be admitted as evidence.[4] It is thereby unrealistic to compartmentalise exhaustively the circumstances that may bear upon unfairness. Section 90 is rather to be applied on a case-by-case basis.[5]

II      General Construction of the Unfairness Discretion

The general test under s 90 is the following: in all the circumstances by which an admission was made by the accused, and having regard to contemporary community standards, whether it would be unfair to the accused if that evidence is used against them, in the sense that the admission was obtained at an unacceptable price.[6]

Guidance was provided by the High Court in R v Swaffield; Pavic v R as to the meaning of unfairness. Although the case turned towards the common law Lee Discretion, the common law authorities have been held to continue to guide and inform the application of s 90.[7] In R v Swaffield; Pavic v R, the High Court suggested that the purpose of the discretion is to protect the right of an accused to a fair trial.[8] Thus, the unfairness discretion should focus on ‘whether the reception of the evidence is likely to preclude a fair trial’ or ‘render[s] the [accused’s] trial unfair’,[9] in the sense that it involves a risk of the wrongful conviction of an accused. Pursuant to R v Swaffield; Pavic v R at 197: ‘[T]he purpose of the discretion to exclude evidence for unfairness is to protect the rights and privileges of the accused person. Those rights include procedural rights. There may be occasions when, because of some impropriety, a confessional statement is made which, if admitted, would result in the accused being disadvantaged in the conduct of his defence.’

And further at 189: ‘Unfairness then relates to the right of an accused to a fair trial …  It may be, for instance, that no confession might have been made at all, had the police investigation been properly conducted.’

In R v Burton [2013] NSWCCA 335, it was held at [128] that the inquiry is whether the circumstances surrounding the making of the admission ‘amount to an unfair derogation of the [accused's] right to exercise a free choice to speak or be silent’.

III     Relevant Considerations for an Assessment under Section 90

Given the liberal discretion created by s 90, a number of notable indicia have been developed throughout the case law to inform the unfairness assessment:

(1) The means used to obtain the admission.

Illegal or improper conduct on the part of interrogating officials may raise the inference that the admission would not otherwise have been made but for the improper conduct. As noted in R v Swaffield; Pavic v R at 172–3, ‘if a suspect were unfairly treated by the employment of illegal or improper methods and a confession were thereby obtained, the court would reserve a power to exclude the confession from evidence and thereby deprive the police or law enforcement officers of the fruit of their illegal or improper methods.’ Misrepresentation, trickery or the like which leads to the accused’s admission is an indicia of the unfairness assessment.[10] It is to be noted that s 90 is not intended to act as a sanction against police officers for failing to obey police regulations.[11] Thus, ‘unfairness’ is assessed by reference to how the admission is used in evidence by the prosecution, rather than through an assessment of whether the accused was treated unfairly by the police.[12]

In the decision of R v Pitts (No 1) [2012] NSWSC 1652, Adamson J excluded certain admissions made during a police interview at [26]–[41] in circumstances where the accused stated multiple times that he wished to make ‘no comment’ and had been advised by his lawyer to not give an interview. The interviewing police proceeded to ask seemingly innocuous questions and then continued into an interrogation which elicited the admissions.

However, even where trickery is used, evidence of an admission may still be admitted. For instance, where an admission is made in a ‘pretext call’ conducted before a suspect is questioned by police and before any potential exercise of the right to silence in response to police questioning is made, the admission can likely be fairly used as evidence notwithstanding deception used to obtain the admission: See for example, Lyon v The Queen [2019] VSCA 251.

(2) Circumstances that may make the admission unreliable.[13]

(3) The accused’s frailties and if they are under a special disadvantage vis-à-vis the recipient of the admission.

For example, the accused’s mental and emotional state, age, race, intellect, education, literacy, intellectual disabilities, mental illnesses, state of sobriety, etc.[14] In the decision of R v Phan [2001] NSWCCA 29 at [56]: ‘Each case must be determined … by reference to the … unfair advantage taken of [the accused’s] position, for example because of his age, vulnerability, lack of familiarity with the English language and so on’.

(4) Police conduct that robs an accused of their right to remain silent.[15]

An inference of unfairness will be particularly apparent where the accused has made it clear that they intended to exercise that right, or where the police have failed to provide an adequate caution. In R v FE [2013] NSWSC 1692, Adamson J excluded admissions made to police by a 15 year old girl accused of murder as she was ‘effectively deprived of the right to choose whether to speak or not, because she was ignorant of her right to silence and she was neither cautioned, nor informed, in language that she could understand, or at all, what her rights were’: R v FE at [124].

(5) The voluntariness of the admission.[16]

For instance, in Director of Public Prosecutions (Vic) v Myles (2021) [2021] VSCA 324, the Victorian Court of Appeal upheld the trial judge’s finding that admissions are to be excluded under s 90 when the accused felt compelled to answer the questions to his case manager: Myles at [35]–[37].

(6) The accused making his or her confession where the accused held an incorrect assumption at the time the admission was made.[17]

(7) Whether the conversation had been tape-recorded pursuant to a warrant issued by a Supreme Court justice.

 In R v DRF [2015] NSWCCA 181, it was held to be a material consideration that the NSW Parliament had permitted the issue, under specific circumstances, of warrants permitting the use of surveillance devices to record private discourse. To regard an admission obtained by these means as unfair would subvert such an approved statutory scheme for permitting judicially sanctioned covert surveillance: R v DRF at [93]–[95].

The ACT Court of Appeal in the matter of Sidaros v The Queen (2020) 15 ACTLR 64 has also regarded that a breach of the common law accusatorial principle justified the exclusion of evidence of an admission. The common law accusatorial principle is that guilt must be proved by the prosecution absent aid of the accused.[18] The Court held that the admission being elicited by undercover officers placed in the appellant's prison cell after the appellant exercised his right to silence was a breach of the accusatorial principle and was thereby unfair to be used against the appellant.

The following have been held to be immaterial considerations:

(8) The probative value of the evidence;[19] and

(9) The seriousness of the offence.[20]

Nonetheless, cognisance is required of the fact that the investigation of crime ‘is not a game governed by a sportsman's code of fair play … [f]airness to those suspected of crime is not the giving of a sporting opportunity to escape the consequences of any legitimate and proper investigation.’[21]

IV     Conclusion

It is to be kept in mind that it is the intent of the legislature to not define, even partially, the concept of unfairness under s 90. This would undermine the desirable flexibility and scope of the section. None of the aforementioned indicia is determinative to the exercise of the discretion. To do so would be repugnant to the general wording s 90 has been given. Each application of s 90 is thereby unique and, to a certain extent, fact-dependent. Per Kirby J in Em v The Queen at 121, ‘[w]hat would be “unfair” in one set of circumstances might not be so if just a few of the integers were changed.’ Nevertheless, regard should always be had to the foundational focus of s 90, viz that evidence of an admission must not be introduced at an unacceptable and unwarranted price. Framing s 90 in this way not only preserves the broad discretion the legislature intended for s 90 to confer, but also ensures that the rights of the suspect be importantly kept at the forefront of the analysis.

FOOTNOTES:

[1] R v DJL [2024] NSWDC 165 at [273];

[2] R v Burton [2013] NSWCCA 335 at [88]; R v Simmons; R v Moore (No 2) [2015] NSWSC 143 at [52].

[3] R v Swaffield; Pavic v R (1998) 192 CLR 159, 193; R v Cresnar (No 2) [2019] NSWDC 671 at [8], [10].

[4] Em v The Queen (2007) 232 CLR 67, 121; R v W [1999] NSWSC 1128 at [27].

[5] JB v R [2012] NSWCCA 12 at [44]; Riley v R [2011] NSWCCA 238 at [151]–[158].

[6] R v Swaffield; Pavic v R (1998) 192 CLR 159, 194; R v Fernando [1999] NSWCCA 66 at [30].

[7] Em v The Queen (2007) 232 CLR 67 at [73], [188], R v Helmhout & Ors [2000] NSWSC 185 at [62].

[8] This was also echoed in Van der Meer v The Queen (1988) 62 ALJR 656, 666.

[9] Bryant v The Queen [2011] NSWCCA 26 at [117].

[10] See R v Nelson [2004] NSWCCA 231 at [20] where the absence of trickery pointed to the admission being fairly used as evidence. See also R v Suckling [1999] NSWCCA 36 at [40]–[41].

[11] R v Swaffield; Pavic v R (1998) 192 CLR 159, 173.

[12] R v Lee (1950) 82 CLR 133, 154; Van Der Meer v The Queen (1988) 35 A Crim R 232, 248; R v Em [2003] NSWCCA 374, [104].

[13] Van der Meer v R (1988) 82 ALR 10. See R v Munce [2001] NSWSC 1072, where McClellan J refused to apply s 90 to an admission because it was not 'so unreliable that no weight could be given to it'.

[14] R v Archer (No 1) [2021] NSWSC 569; R v Taylor [1999] ACTSC 47.

[15] Higgins v The Queen [2007] NSWCCA 56 at [28]; R v Fischetti [2003] ACTSC 9 at [11]; R v Suckling [1999] NSWCCA 36 at [33]; R v Swaffield; Pavic v R (1998) 192 CLR 159, 202.

[16] R v Parkes [2024] NSWSC 269 at [62].

[17] Em v The Queen (2007) 232 CLR 67, 89.

[18] Lee v The Queen (2014) 253 CLR 455 at [45]

[19] R v Burton [2013] NSWCCA 335 at [89].

[20] R v Em [2003] NSWCCA 374 at [113]

[21] R v Swaffield; Pavic v R (1998) 192 CLR 159, 185–186.

Disclaimer:

‘Black Letter Law’ communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.

I       INTRODUCTION

The decision of the Federal Court in Australian Information Commissioner v Australian Clinical Labs Limited (No 2) FCA 1224 (‘AIC’), marks an undeniable watershed moment in Australian privacy jurisprudence, ushering in an explicit era of active enforcement under the Privacy Act 1988 (Cth) (‘the Act’). The Office of the Australian Information Commissioner (‘Commissioner’), the chief regulator of the Act, have previously long preferred to resolve disputes through conciliation. However, a more ‘proactive and harm-focussed [enforcement] approach’[1] has become apparent in recent years such as the Commissioner making increased use of the power under s 52 of the Act to make determinations,[2] and latterly commencing civil penalty proceedings against Optus and Medibank.

The case of AIC marks the first civil penalty proceedings brought by the Commissioner under the Act.[3] The judgment of Halley J addresses the systemic failures of Australian Clinical Labs Limited (‘ACL’), a major private hospital pathology business, following a serious cyberattack committed against the acquired IT systems of Medlab Pathology Pty Ltd (‘Medlab’) in February 2022. The resultant civil penalty of AUD$5.8 million, affirmed by the Court based on the parties' agreed facts and admissions, underscores the judiciary’s increasing readiness to impose substantial pecuniary consequences for breaches of sensitive personal and health information.

Although the misconduct occurred before the new ‘tiered’ penalty system introduced by the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth) (‘2022 Amendment Act’), the decision of Halley J sets a precedent for courts to impose severe financial penalties for serious data breaches, especially where entities fail to take reasonable steps to protect personal information in Australia’s rapidly changing cyber environment.

II     CASE SUMMARY

On 19 December 2021, ACL acquired the assets of Medlab. Medlab held personal information including health information, contact information, passport numbers, credit card information, and payment details of more than 223,000 individuals. Medlab’s IT systems had numerous cybersecurity deficiencies (the ‘Medlab IT Systems Deficiencies’).

On or prior to 25 February 2022, a malicious actor known as Quantum Group attacked the Medlab computer network which was being operated by ACL. ACL instructed an external cybersecurity firm known as StickmanCyber on 25 February 2022 to investigate, respond to, and to proffer advice with respect to the cyberattacks. StickmanCyber advised that the ransomware demand was likely a mere ‘scare tactic’: AIC at [23]. After a report was produced by StickmanCyber on 2 March 2022, StickmanCyber advised ACL on 15 March 2022 that, at the time in which StickmanCyber terminated their investigation, ‘no data was exfiltrated from the business’ and that they did not consider that the cyberattack caused harm to any individual: AIC at [28]. In light of StickmanCyber’s advice and investigation, ACL had determined by 21 March 2022 that the cyberattack was not an eligible data breach and elected not to notify the Commissioner.

However, on or before 16 June 2022, 86 gigabytes of data was exfiltrated from the Medlab IT systems and published on the dark web including personal information, sensitive health information, and financial information such as complete credit card details. ACL made notification on 10 July 2022 to the Commissioner that ACL had reasonable grounds to believe that the cyberattack constituted an eligible data breach.

III    THE DECISION

The Court declared three contraventions of s 13G(a) of the Act by ACL:

(a)  Personal Information Contraventions: Breaches of Australia Privacy Principle (‘APP’) 11.1(b) due to inadequate cybersecurity controls. The Court additionally confirmed that ACL contravened s 13G(a) in respect of each of the   23,000 individuals affected. The Court imposed a penalty of $4,200,000 for this breach;

(b)  Assessment Contravention: A breach of s 26WH(2) of the Act for failing to carry out a reasonable and expeditious assessment of the data breach. The Court imposed a penalty of $800,000; and

(c)  Notification Contravention: A breach of s 26WK(2) of the Act for failing to notify the Commissioner as soon as practicable. The Court imposed a penalty of $800,000.

In total, ACL was ordered to pay $5,800,000 in civil penalties to the Commonwealth of Australia.

IV    DEFINING THE CONTOURS OF CYBER RESILIENCE: THE PERSONAL INFORMATION CONTRAVENTIONS

APP 11.1(b) relevantly provides that an entity that holds personal information ‘must take such steps as are reasonable in the circumstances to protect’ that personal information from ‘unauthorised access, modification or disclosure.’[4]

As APP 11.1(b) had not been the subject of prior judicial determination, Halley J provided essential clarity, stating that the standard applied is objective and necessarily ‘informed by the circumstances’: AIC at [50]. His Honour enumerated several factors informing this broad construction, including at [50]:

the sensitivity of the personal information, the potential harm to individuals if the information was accessed or disclosed, the size and sophistication of the APP entity, the cybersecurity environment in which the APP entity operates, and any previous threats or cyberattacks made against the APP entity.

Deriving guidance from analogous ‘reasonable steps’ provisions found within the Corporations Act 2001 (Cth),[5] Halley J also considered that the obligation to take reasonable steps cannot be satisfied merely by delegating the obligation to another entity and doing nothing more,[6] and that reasonableness should not be elevated to taking all reasonable steps, the ‘one true path’,[7] or the optimal steps.[8]

Given ACL’s standing as one of the largest private hospital pathology businesses in Australia, handling large amounts of sensitive health and financial information, the expectation of diligence was commensurately high.

The findings of the Court identified critical failures in both pre-acquisition diligence and ongoing security posture, categorised broadly into two groups of deficiencies:

(a)    Medlab IT Systems Deficiencies

The foundation of the Personal Information Contraventions rested upon the security failures inherent in the Medlab IT Systems, which ACL acquired and operated from 19 December 2021. ACL admitted that it ‘did not identify certain relevant vulnerabilities in the Medlab IT Systems prior to its acquisition of the Medlab assets’: AIC at [16].

The Medlab IT Systems Deficiencies included, per [18]:

(a)  the antivirus software deployed by Medlab computers ‘was not capable of preventing certain malicious files from being written or run on those systems’;

(b)  Medlab computers ‘utilised weak authentication measures’;

(c)  systems ‘were subject to firewalls that could only log one hour of activity before the logs were deleted’. This severe limitation critically hampered ACL's ability to determine when the attack occurred or whether data had been exfiltrated.

(d)  the systems ‘had no form of file encryption’;

(e)  the Medlab network server ‘was running a legacy system of a Windows server that was not supported by Microsoft from 14 January 2020’; and

(f)   the antivirus software deployed on the Medlab server ‘did not prevent or detect a threat actor uploading data from the server to the internet’.

(b)   Medlab Cyberattack Response Deficiencies

ACL was also exposed to operational and preparedness deficiencies which undermined its ability to effectively respond once the breach was discovered. These failures were crucial because they contributed to the material breach of APP 11.1(b). Halley J confirmed that ACL’s ability to detect and respond by itself to cyber incidents was deficient because per [53]:

(a)  the ACL cyber incidents playbooks ‘did not clearly define roles and responsibilities for incident response efforts’ and ‘contained limited detail on containment processes’ or steps to mitigate exfiltration. Furthermore, the playbooks ‘recommended steps for technologies that were not used within the Medlab IT Systems’;

(b)  there was ‘inadequate testing of incident management processes’ in the period between acquisition and the cyberattack;

(c)  ‘Data Loss Prevention was not used on the Medlab IT Systems to detect or prevent the theft of personal information’;

(d)  ‘adequate tooling/products that could perform behavioural-based analysis of activities in order to determine whether malicious actions might be undetected by an antivirus product were not used’;

(e)  there was ‘no application whitelisting in place to prevent unknown or unauthorised applications from running on Medlab computers’;

(f)  there were ‘only limited communications plans’;

(g)  the Medlab IT Team Leader ‘had not seen, used, or received training on the playbooks provided and had no formal cybersecurity background or incident response training’;

(h)  there was ‘limited security monitoring capability because the firewall logs were only retained for one hour’;

(i)  ‘specific data recovery plans had not been developed’; and

(j)  Medlab staff ‘were not required to use multifactor identification to use the Medlab VPN’.

(c)    Other Salient Considerations

Halley J stated that the totality of these facts satisfied the Court that ACL breached APP 11.1(b), leading to a serious interference with the privacy of the more than 223,000 affected individuals. The failure was deemed serious particularly having regard to ‘the extent of the Medlab IT System Deficiencies and the Medlab Cyberattack Response Deficiencies’: AIC at [58].

In casu, the Court noted that ACL operated in a landscape of high cybersecurity risk and that there was a real risk of harm to individuals should their health or other personal information be accessed and disclosed without approval. The Court also highlighted the ‘overreliance that ACL placed on third party service providers and its failure to have in place adequate procedures to detect and respond by itself to cyber incidents’ as contributing to the seriousness of the APP 11.1(b) breach: AIC at [52]. ACL’s delegation of operational responsibility to StickmanCyber as a third-party did not, pro tanto, automatically absolve it of its statutory duty. The reasonable steps obligation under APP 11.1(b) is non-delegable – purely relying on third-party providers without sufficiently engaging in internal cyber resilience investigations was ultra vires the spirit of the APP. Although cybersecurity services providers can ensure investigations are independent, comprehensive, and impartial, AIC accentuates that it is nevertheless critical for entities to establish and utilise adequate internal procedures to independently identify and respond to cyber incidents. 

V     THE IMPERATIVE OF TIMELY RESPONSES: INTERROGATING NDB OBLIGATIONS (ss 26WH and 26WK)

The judgment provides equally critical guidance on the operation of the Notifiable Data Breach (‘NDB’) scheme obligations under Part IIIC of the Act, which were breached by ACL on two fronts, constituting separate contraventions of section 13G(a) of the Act:

(a)   the Assessment Contravention, per s 26WH(2) of the Act; and

(b)  the Notification Contravention, per s 26WK(2) of the Act.

Compliance with the NDB scheme is critical to effective cyber security and supports both the prevention of cybercrime and harm minimisation following an incident. By notifying affected individuals of a relevant data breach, those affected persons are placed in a position whereby they can remediate, or at least mitigate, their risk of harm such as amending passwords or advising financial institutions as to their compromised information. The NDB scheme additionally has a general utility in ensuring that entities are accountable for privacy protection. To this extent, the NDB scheme reinforces privacy protection obligations owed by entities dealing with personal information and ensures relevant entities establish sufficient data breach response systems to comply with the NDB scheme.

(a)    Failure to Conduct a Reasonable and Expeditious Assessment (s 26WH(2))

The duty to conduct an assessment under section 26WH(2) is triggered when an entity is aware of ‘reasonable grounds to suspect that there may have been an eligible data breach of the entity’.[9] Halley J was persuaded that ACL had subjective knowledge or awareness of circumstances ‘that were objectively sufficient to establish in the mind of a reasonable person’ the requisite suspicion by 2 March 2022, that being the date on which StickmanCyber issued its report: AIC at [74].

The resultant obligation was to carry out a ‘reasonable and expeditious assessment’ within the mandated 30-day period.[10] The Court at [77] concluded that ACL contravened s 26WH(2) because the assessment undertaken was inadequate and unreasonable. ACL’s reliance solely upon the limited work conducted by StickmanCyber was deemed ‘unreasonable’ given ACL’s own awareness of the inherent deficiencies, particularly the inadequate technical controls still in place: AIC at [78]. The forensic assessment was inadequate because per [77]:

(a)   It only monitored ‘3 of the at least 127 computers subject to ransomware deployed by the Quantum Group;

(b)  It did not conduct any investigation into ‘the Quantum Group and its attack traits to determine whether data was likely to have been exfiltrated’;

(c)   It based its review on ‘only one hour of firewall logs’, accessed approximately four hours after the ransom note was downloaded, severely restricting the ability to reconstruct the attack; and

(d)  It only conducted a ‘limited investigation’ of whether persistence mechanisms may have been established.

The Court affirmed the contravention of s 26WH(2) was ‘serious’ for the purposes of s 13G(a), noting that the ‘failure to conduct the stipulated reasonable and expeditious assessment likely resulted in a delay in ACL ultimately notifying the Commissioner’: AIC at [79]. This delay hindered the Commissioner’s function to assist affected individuals.

(b)   Failure to Notify the Commissioner 'As Soon As Practicable' (s 26WK(2))

The Notification Contravention arose under section 26WK(2) when ACL became aware that there were ‘reasonable grounds to believe that there had been an eligible data breach’. This requisite knowledge was attained by 16 June 2022, upon receiving the ‘second ACSC notification’ confirming ‘potentially 80gb of Medlab data was published from the Quantum group’ on the dark web: AIC at [35].

Upon gaining this belief, ACL was obligated to prepare and give the required statement to the Commissioner ‘as soon as practicable’.[11] Halley J interpreted the term ‘practicable’ by noting that the required notification statement under s 26WK(3) is ‘not particularly onerous’.[12] It merely requires a description of the breach, the kind of information concerned and recommendations for steps individuals should take.

ACL admitted it was practicable to have provided this statement ‘within two to three days’ of 16 June 2022: AIC at [89]. Instead, ACL delayed, not providing the statement until 10 July 2022, representing a 24-day delay. This was a further contravention of s 26WK(2). This delay was also determined to be a serious interference with privacy particularly as it ‘delayed the ability of the Commissioner to perform her statutory function’ in monitoring notifications and providing guidance and important information about the impact of the cyberattack: AIC at [91].

VI    THE NEW ENFORCEMENT ERA: PENALTY CALCULUS, DETERRENCE AND IMPACT OF STATUTORY AMENDMENTS

The Federal Court’s approval of the aggregate civil penalty of AUD$5.8 million against ACL, is an explicit signal of the new phase of active enforcement under the Act. This outcome confirms the Court's readiness to impose substantial financial consequences for serious breaches.

(a)    Judicial Methodology and the Multiplicity of Contraventions

ACL’s contraventions occurred prior to the 2022 Amendment Act. At the time of the breaches, the maximum penalty civil penalty was up to 2,000 penalty units at a value of $222 per unit. A pecuniary penalty for a body corporate must not be more than five times the pecuniary penalty specified for the civil penalty proceeding.[13] The maximum penalty per contravention thereby equalled $2,200,000 (2,000 ⋅ $222 ⋅ 5).

Consistent with the objects of the Act, the Court accepted that ACL engaged in a ‘separate contravention of s 13G(a) in respect of each of the more than 223,000 individuals’ whose personal information was compromised: AIC at [60]. This finding confirmed the theoretical maximum penalty available under the prevailing regime was $495,060,000,000 [that being (2,000 ⋅ $222 ⋅ 5) ⋅ 223,000]: AIC at [121].

In determining the imposed penalty of $5,800,000, Halley J applied the principle of ‘instinctive synthesis’, weighing the following aggravating factors against the ameliorating steps taken by ACL:

Aggravating Factors

• The contraventions were extensive and significant.

• The contraventions were from a failure to act with sufficient due care and diligence in managing the risk of the cyberattack

• The contraventions had, at least, the potential to cause serious harm to affected individuals.

• The contraventions had the potential to impact the public trust in entities holding personal information.

• ACL was one of the largest private hospital pathology businesses.

• ACL’s senior management were involved in the integration of the Medlab IT systems.

Mitigating Factors

• ACL did not derive financial gain

• ACL had not previously contravened the Act.

• The contraventions were not deliberate or from deliberate misconduct.

• ACL had commenced a review of its cybersecurity processes and controls prior to the cyberattack.

• ACL cooperated with the investigation conducted by the Commissioner since December 2022.

• ACL admitted to the contraventions.

• ACL apologised for the cyberattack.

• The contraventions arose from a single course of conduct.

The final penalty was sufficient for specific and general deterrence, ensuring it could not objectively be characterised as ‘a cost of doing business’: AIC at [138].

(b)   The Intersection with the Privacy Legislation Amendment Act 2022

The most profound ramification of the AIC case lies in its retroactive interpretive authority over the drastically increased penalties introduced by the 2022 Amendment Act,[14] which commenced on 13 December 2022.

ACL's conduct, having occurred before this date, was assessed under the prior penalty regime. The 2022 Amendment Act has since introduced a tiered civil penalty regime. APP entities now need not meet the same ‘serious’ threshold to attract the OAIC’s attention. Rather, the following penalties now apply:[15]

• Tier: Serious interferences with privacy (i.e. the tier applicable to ACL)

  • Penalty for Corporations:

    • the greater of:

      (a) AUD$50m

      (b) three times the value of any benefit obtained by the misuse of information; or

      (c) if that value cannot be determined, 30% of the relevant APP entity's turnover during the breach period.

  • Penalty for Individuals (e.g. Directors)

    • AUD$2.5 million

• Tier: 'Mid-tier' contraventions that do not meet the threshold of 'serious'

  • Penalty for Corporations:

    • AUD$3.3 million

  • Penalty for Individuals (e.g. Directors)

    • AUD$660,000

Tier: ‘Low-tier' breaches of specific APPs, or failure to comply with a compliance notice

• Penalty for Corporations:

  • AUD$330,000

• Penalty for Individuals (e.g. Directors)

  • AUD$66,000

The judicial finding in AIC that each affected individual constitutes a separate contravention dramatically compounds the liability under the new regime. This methodology, coupled with the enhanced penalty quantum, means that a breach impacting even a relatively small number of individuals, for example, 10,000 persons, could expose a large corporation to potential penalties in the hundreds of millions or billions of dollars, creating an absurd and impracticable level of risk. This risk signals that cyber incidents now have the potential to pose significant financial implications for even Australia's largest companies.

VII  TAKEAWAYS FROM THE DECISION

(a)    Reasonable steps obligation

AIC provides useful guidance for entities as to what constitutes reasonable steps under the Act. Importantly, the Court noting that ALC ought to have been aware of the high cybersecurity risk environment by which they operated in introduces somewhat of a ‘sliding reasonableness scale’ for businesses – that is, an entity operating in a low-risk environment may not necessarily have the same reasonableness threshold as one that is operating in a high-risk environment such as ACL. Even then, the risk profile of the environment by which a company operates within can itself fluctuate over time. For instance, a low-risk environment may be suddenly subject to numerous serious cyber attacks leading that environment to now be considered a high-risk one. Companies thereby ought to be constantly and fully acquainted with the unique cyber risks that impact the sphere they operate within as this will mould their cybersecurity expectations.

The fact that the reasonable steps assessment is a holistic one also emphasises the need for businesses to have robust cyber risk management systems, to constantly assess the efficacy of those systems, and have comprehensive multi-disciplinary cyber incident response teams to manage breaches should they occur. It is to be noted however that the reasonableness requirement under APP 11.1(b) does not impart optimality nor require an organisation to take all possible reasonable steps.

(b)   Due diligence

A pertinent factor as to ACL’s contravening conduct was the failure to address the risks and cybersecurity deficiencies of the acquired Medlab IT systems. Businesses in M&A contexts thereby ought to conduct proper due diligence when acquiring IT systems and personal information from other entities. Due diligence cannot end at a mere paper questionnaire, but must properly encompass thorough investigations and testing to confidently deduce the suitability of the acquired cybersecurity systems. Where issues become apparent, those issues ought to be addressed as effectively as possible prior to or, at least, immediately after the integration of the acquired IT systems.

(c)    The importance of cybersecurity commitments

ACL approved a program in July 2021 to uplift ACL’s cybersecurity capabilities including a requirement since August 2022 that all ACL employees engage in cybersecurity training. In August 2023, ACL additionally appointed a Chief Information Security Officer. Notwithstanding the appointment occurring subsequent to ACL’s relevant contraventions, it was held by the Court to showcase ACL’s ongoing commitment to developing a satisfactory culture of compliance. Such an evident commitment was a mitigating factor in the civil penalty assessment.

As such, pre and post-contravention conduct indicating a commitment towards enhancing cybersecurity is an ameliorating factor by which the Courts can consider if a breach does occur. This provides an incentive for companies to take positive steps to encourage compliance with the Act and to improve their cybersecurity systems even after an attack has occurred. This is important. If the Court were only able to consider an organisation’s compliance attempts before the breach occurred as a mitigating factor, companies no longer have incentives to remediate the faults in their cybersecurity systems, at a minimum, in the time period between when the breach occurred and when proceedings are commenced. The fact that the Court can reward compliance efforts at any time before or after a breach encourages companies to constantly aim to comply with the Act.

VIII CONCLUSION

The judgement of Halley J in Australian Information Commissioner v Australian Clinical Labs Limited (No 2) FCA 1224 serves as the definitive judicial pronouncement marking the OAIC’s transition to an era of active enforcement, definitively establishing the seriousness of systemic security failures, inadequate assessment and protracted breaches of NDB notification obligations under s 13G(a) of the Act. Crucially, the affirmation of the per-individual approach to calculating penalties for APP 11.1 breaches provides the legal mechanisms which, when fused with the augmented maximum penalty regime under the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, translates compliance failure into an exponential and potentially existential corporate risk. This decision unequivocally mandates that entities must prioritise non-delegable security controls, conduct rigorous cyber due-diligence in M&A activities and ensure rapid, competent internal incident assessment, thereby establishing a new regulatory baseline that demands proactive cyber resilience across the Australian economy.

FOOTNOTES:

[1] ‘Statement of regulatory approach’, Office of the Australian Information Commissioner (Web Page, 20 February 2025) <https://www.oaic.gov.au/about-the-OAIC/our-regulatory-approach/statement-of-regulatory-approach>.

[2] Normann Witzleb, Privacy law: Personal information under the Privacy Act 1988 (Cth) – Privacy Commissioner v Telstra Corporation Ltd [2017] FCAFC 4 (2017) 45(2) Australian Business Law Review 188, 188.

[3] It is to be noted that ASIC has previously made declarations and penalty orders for cyber breaches and deficient responses pursuant to the Corporations Act 2001 (Cth): see for example, Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496.

[4] Privacy Act 1988 (Cth) sch 1 s 11.1.

[5] Corporations Act 2001 (Cth) ss 961L, 963F, 994E(5).

[6] Per Clarke (as trustee of the Clarke Family Trust) & Ors v Great Southern Finance Pty Ltd (Receivers and Managers Appointed) (in liquidation) & Ors [2014] VSC 516 at [543] (Croft J).

[7] Per Australian Securities and Investments Commission v R M Capital Pty Ltd [2024] FCA 151 at [73] & [80] (Jackson J).

[8] Per Australian Securities and Investments Commission v R M Capital Pty Ltd [2024] FCA 151 at [392] (Moshinsky J).

[9] Privacy Act 1988 (Cth) s 26WH(1)(a).

[10] Privacy Act 1988 (Cth) s 26WH(2)(a).

[11] Privacy Act 1988 (Cth) s 26WK(2)(b).

[12] Privacy Act 1988 (Cth) s 26WK(3).

[13] Regulatory Powers (Standard Provisions) Act 2014 (Cth) s 82(5)(a).

[14] Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022

[15] Privacy Act 1988 (Cth) s 13G.

Disclaimer:

‘Black Letter Law’ communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.