Privacy in the Courts: Privacy Litigation and Enforcement Ramps Up

Importantly, these cases bring into sharp focus the growing legal, financial and reputational risks for those who mishandle personal information, whether deliberately or otherwise. 

OAIC has also announced its first ever ‘privacy compliance sweep’ for January 2026, in which it will scrutinise the privacy policies of organisations in targeted sectors.

With the new tort, an active class action landscape, an empowered regulator, and privacy reforms in full swing, any weaknesses in an organisation’s privacy or data governance posture are a clear risk in need of redress.

Recap: Status of Australia’s Privacy Reforms

As canvassed here and here, the first tranche of major reforms to the Privacy Act was passed late last year.  By way of recap, the majority of changes took effect in December 2024.  However:

• Statutory Tort: The statutory tort for serious invasions of privacy commenced in June 2025

• Automated Decision-Making: APP entities must update their privacy policies by 11 December 2026 to disclose their use of automated decision-making, where they use personal information in such decision-making (including decisions made, or substantially and directly contributed to, by AI or any computer program), where the decision could reasonably be expected to significantly affect the rights or interests of an individual. 

• Remainder of Tranche 1: In connection with the first tranche of reforms, cross-border data transfer rules are still pending, and a Children’s Online Privacy Code is to be finalised by December 2026. 

• Tranche 2: While the second tranche of privacy reforms is yet to unfold, it is expected to have a bigger impact than the first,^[1] with changes such as removal of the small business exemption ‘agreed in-principle’.

Meanwhile, OAIC announced that it will be conducting its first ever ‘privacy compliance sweep’, commencing in the first week of January 2026.^[2]  OAIC will target entities in six sectors known for collecting information in-person (such as pharmacy, rental and property sectors) and review their privacy policies for compliance with APP 1.4.  Entities found to have non-compliant privacy policies are likely to face compliance or infringement notices and associated penalties.

First Claims under the New Statutory Tort for Serious Invasions of Privacy 

Shortly after its introduction in June 2025, two cases were commenced in reliance on the new tort.

Groth & Groth v The Herald and Weekly Times & Ors

First, on 29 August 2025, Sam Groth, deputy leader of the Victorian Liberal party, and his wife, Brittany Groth, filed proceedings in the Federal Court of Australia against the Herald Sun, together with an editor and journalist, claiming that a series of published news articles about the origins of the Groths’ relationship were a serious invasion of Ms Groth’s privacy and defamatory.^[3]  

The Herald Sun applied to strike out the case, relying on the journalistic exemption from the statutory tort.  Exemptions are available where there is an invasion of privacy by journalists, agencies, State or Territory authorities, law enforcement bodies, intelligence agencies or children under the age of 18.^[4]  The Groths argued that the articles did not constitute “journalistic material” (defined as material with the character of or relating to news, current affairs or a documentary), and that the Court should determine whether the exemption did in fact apply. 

While the proceeding was set to become the first test case of the new statutory tort, it settled out of court in November 2025, with the Herald Sun publishing an apology to the Groths.

Kurraba Group Pty Ltd & Smith v Williams

Second, on 2 October 2025, Kurraba Group Pty Ltd (Kurraba) and its CEO, Nicholas Smith, commenced proceedings against Michael Williams.  The plaintiffs alleged that Mr Williams had led an extortion campaign against them, and sought urgent interlocutory orders, damages and other relief for defamation, intimidation and serious invasion of Mr Smith’s privacy.

The District Court of New South Wales granted an interlocutory injunction in respect of the alleged serious invasion of privacy, marking the first published judicial consideration in respect of the new tort.^[5] 

Mr Williams, a neighbour with a short term lease, was opposed to a development application lodged by Kurraba with the City of Sydney.  Judge Gibson observed that following unsuccessful negotiations between the parties, Mr Williams began a campaign against Mr Smith and the development, which included: 

• lodging lengthy written submissions opposing the development application; 

• posting on Google a one star review and various assertions in relation to Kurraba; 

• making oral submissions, including “serious allegations”, to the Central Sydney Planning Committee; and 

• creating a “Kurraba Group Exposed” website, where he made a series of allegations “of the gravest kind” against Kurraba and Mr Smith.^[6]

Relevant to the claim for serious invasion of privacy, Mr Williams published private wedding photographs of Mr Smith and his wife.  Judge Gibson determined that the wedding photographs were never intended to be made public, in circumstances where Mr Smith and his wife were not public figures, and that the wedding photographs were misused by Mr Williams, who sought to portray them as “indicating moral delinquency and drunkenness as opposed to the sanctity of marriage and the ceremonial proceedings.”^[7] Her Honour was cautious in describing the conduct alleged to constitute a serious invasion of privacy, noting that mere repetition of false allegations in a judgment can increase damage caused, under the “Streisand effect”^.[8]  Her Honour characterised Mr Williams’ conduct as extortion and not journalistic-style investigation.^[9] 

The Court found that there was a serious question to be tried in relation to the tort of privacy (and the torts of defamation and intimidation).  It granted interlocutory injunctions against Mr Williams, restraining him from publishing any further material in relation to the plaintiffs or the development, and requiring the removal of such materials from the internet and social media platforms.^[10]

While the matter awaits final determination, the case of Kurraba demonstrates the use of interlocutory relief for the statutory tort, amongst the broad range of other remedies available.  Relatedly, Judge Gibson observed that “[t]his legislation was intended to provide a flexible framework to address current and emerging privacy complaints and to provide individuals with the ability to protect themselves and seek compensation for a broader range of invasions of privacy than is the case under existing law.”^[11]

First Civil Penalty Proceeding under the Privacy Act

Australian Information Commissioner v Australian Clinical Labs Limited (No 2)

On 8 October 2025, in the first civil penalty case to reach judgment in the history of the Privacy Act,^[12] the Federal Court of Australia ordered Australian Clinical Labs (ACL) to pay AU$5.8 million in civil penalties in relation to its contraventions concerning the hack of its Medlab Pathology business (Medlab).  The data breach resulted in the exfiltration and dark-web publication of a large volume of personal and sensitive information.

While ACL admitted liability and agreed penalties (based on a penalty regime which has since been greatly magnified), the judgment provides useful guidance on what is expected of APP entities:

• in protecting personal information;

• where an ‘eligible data breach’ occurs or may have occurred; and

• where there has been a failure to comply with the requirements of the Privacy Act.

Relevant Factual Background 

ACL, one of Australia’s largest pathology providers, acquired Medlab in December 2021.  Medlab provided health services including prenatal genetic testing, fertility assessments and testing for sexually transmitted diseases.  ACL’s acquisition included Medlab’s computer and communications hardware, computer and information technology systems, equipment and software.^[13] 

The personal and sensitive information of over 223,000 individuals as held by Medlab, including health, contact, credit card and payment data,^[14] were held on the Medlab IT systems.  Those systems suffered from a range of cybersecurity deficiencies (including inadequate antivirus software and firewalls, weak authentication measures, no file encryption and an unsupported and outdated Windows server) (Medlab IT System Deficiencies).^[15] 

In February 2022, a threat actor known as the Quantum Group launched a ransomware attack on Medlab’s IT systems.  ACL instructed its existing third-party cybersecurity service provider (StickmanCyber) to investigate, respond to, and provide advice in relation to the cyberattack.  In March 2022, StickmanCyber provided to ACL an incident summary report and email indicating that they considered that the cyberattack did not cause harm to any individual.  Based upon StickmanCyber’s analysis and advice, ACL determined that the cyberattack was not an eligible data breach for the purposes of the Privacy Act.[16]  As such, ACL made no notification at the time to OAIC.

The Australian Cyber Security Centre (ACSC) issued two alerts to ACL, in March and June 2022, with the second notification alerting ACL to the fact that potentially 80 GB of Medlab data had been published by the Quantum Group on the dark web.^[17] Following ACL’s legal review of the exfiltrated data (conducted by external solicitors from 22 June to 10 July 2022), ACL provided notification to OAIC on 10 July 2022 that there were reasonable grounds to believe that the cyberattack was an eligible data breach.^[18] ACL published an apology and information to affected individuals in October 2022 via its website and an ASX announcement. 

OAIC subsequently brought proceedings against ACL, alleging contraventions of s 13G(a) of the Privacy Act by reason of breaches of APP 11.1(b), s 26WH(2) and s 26WK(2). 

Breach of APP 11.1(b): Failure to take reasonable steps to protect personal information

ACL admitted that its cyberattack detection and response capabilities were deficient due to:

• cyber incident playbooks lacking clear roles, containment steps and relevant technologies;

• inadequate testing of incident management processes of the Medlab IT systems after acquisition;

• lack of data loss prevention tools;

• lack of behavioural analysis tools to detect threats missed by antivirus software;

• lack of application whitelisting;

• limited communication plans;

• the Medlab IT team leader’s lack of training and cybersecurity expertise;

• minimal security monitoring, with firewall logs retained for only one hour;

• lack of specific data recovery plans; and

• lack of requirement for multifactor authentication on the Medlab VPN,

(together, Medlab Cyberattack Response Deficiencies)^.[19]

The Court found that ACL failed to take “such steps as are reasonable in the circumstances” to protect the personal information held on the Medlab IT systems from unauthorised access and disclosure, in breach of APP 11.1(b).  Justice Halley’s finding was based on a range of factors including:

1. the size and nature of ACL’s business;

2. the volume and sensitivity of the information;

3. the high cybersecurity risks ACL faced and the risk of harm to individuals if their health and other personal information were accessed and disclosed without authorisation;

4. the Medlab IT System Deficiencies;

5. ACL’s failure to identify the Medlab IT System Deficiencies prior to its acquisition of Medlab;

6. ACL’s delay in identifying the Medlab IT System Deficiencies; and

7. ACL’s overreliance on third party service providers and its failure to have in place adequate procedures to detect and respond by itself to cyber incidents.^[20]

Breach of Privacy Act s 26WH(2): Failure to carry out a reasonable and expeditious assessment as to an eligible data breach

The Court was satisfied that, despite StickmanCyber’s advice to the contrary, ACL had the subjective knowledge or awareness of circumstances that were objectively sufficient to establish, in the mind of a reasonable person, suspicion that there may have been unauthorised access, likely resulting in serious harm to any of the 223,000 affected individuals^.[21]  

This knowledge or awareness, and state of suspicion, required ACL to undertake a reasonable and expeditious assessment (within 30 days) of whether there were reasonable grounds to believe that the cyberattack amounted to an eligible data breach.^[22]  Justice Halley found that ACL failed to do so, in contravention of s 26WH(2).  In particular, as the StickmanCyber assessment relied upon by ACL was inadequate and based on a limited investigation, and as ACL was aware of the limited nature of the assessment, it was unreasonable for ACL to rely solely on StickmanCyber’s assessment and advice. ^[23]

Breach of Privacy Act s 26WK(2): Failure to notify OAIC as soon as practicable

The Court found that ACL had reasonable grounds to believe that an eligible data breach had occurred by at least 16 June 2022, the date of ACSC’s second alert, triggering an obligation for ACL to notify OAIC as soon as practicable.^[24] Justice Halley was guided by the remarks of Parliament that practicability was “intended to involve considerations about whether the time, effort or cost of a particular form of notification, when considered in all the circumstances of the entity and the data breach, would render such notification impracticable.”^[25] 

His Honour observed that the information required in a notification to OAIC is not particularly onerous – it needs only a description of the data breach, the kind(s) of information involved, and recommendations about steps individuals should take in response.^[26] Justice Halley was satisfied of ACL’s admission that it would have been practicable for it to have notified OAIC within 2 to 3 days of becoming aware on 16 June 2022 of reasonable grounds to believe that there had been an eligible data breach.  However, ACL failed to notify OAIC until 10 July 2022 (namely, 24 days after becoming so aware), in contravention of s 26WK(2).^[27]

Breach of Privacy Act s 13G: Serious or repeated interferences with privacy 

In construing the meaning of “serious” for the purposes of s 13G, Justice Halley had regard to whether a contravention was “grave or significant” or “weighty, important, grave and considerable.”  This is ultimately a question of fact that must be determined “by reference to the degree of the departure from the requisite standard of care and diligence and the nature of the conduct, rather than the nature of the provision that has been contravened.”^[28]

His Honour was satisfied that ACL’s breaches were “serious” interferences with privacy, having regard to the nature and volume of the personal information (including sensitive health information), the Medlab IT System Deficiencies, the Medlab Cyberattack Response Deficiencies, ACL’s reliance on a third party cybersecurity service provider, the high cybersecurity risks facing ACL, and the delays in notification to OAIC caused by ACL’s failure to conduct a reasonable and expeditious assessment.^[29]

Additionally, his Honour concluded there were “repeated” interferences with privacy as regards the breach of APP 11.1(b), finding that ACL had engaged in a separate contravention of s 13G for each of the 223,000 individuals in question.^[30]

Penalties 

ACL and OAIC negotiated and agreed a total penalty of $5.8 million, comprising:

• $4.2 million for failing to take reasonable steps to protect personal information from unauthorised access or disclosure (in breach of APP 11.1(b)); 

• $800,000 for failing to carry out a reasonable and expeditious assessment of whether the cyberattack amounted to an eligible data breach (in breach of s 26WH(2)); and 

• $800,000 for failing to notify OAIC as soon as practicable (in breach of s 26WK(2)). 

This represented a sizable departure from the maximum penalties theoretically available – namely, $495 billion for the 223,000 contraventions of s 13G(a) arising from ACL’s breaches of APP 11.1(b), and $2.2 million for each of AGL’s single contraventions of s 13G(a) by breaching s 26WH(2) and s 26WK(2).^[31]

Justice Halley considered there to be several factors suggesting that the agreed penalty was “manifestly inadequate” or outside an acceptable range: 

1. the contraventions were extensive and significant, with the cyber deficiencies known to ACL; 

2. ACL failed to act with sufficient care and diligence in managing the risk of a cyberattack;

3. there was potentially significant harm to individuals, including financial harm, distress or psychological harm and material inconvenience, given the nature of the data; 

4. there was potential impact on public trust in entities who hold and manage private and sensitive information; 

5. ACL was one of Australia’s largest private hospital pathology businesses with large net profits; and

6. ACL’s most senior management were involved in the decision-making around integrating the Medlab IT systems and responding to the cyberattack.^[32] 

Nonetheless, his Honour held that the agreed penalty fell within the permissible range in the circumstances.  His Honour recognised that the abovementioned considerations must be weighed against several mitigating factors, including that: 

1. ACL did not derive financial gain or benefit from the contraventions; 

2. ACL had not previously been found to have contravened the Privacy Act or engaged in any similar conduct; 

3. the contraventions were not deliberate; 

4. ACL had been reviewing and uplifting its cybersecurity processes prior to the cyberattack; 

5. ACL had cooperated with OAIC’s investigation; 

6. ACL had admitted its contraventions; 

7. ACL had made a public apology; and 

8. notwithstanding that there were over 223,000 contraventions, each arose from a single course of conduct.^[33] 

Key Observations  

These recent case developments are a notable indication of the trend towards (1) increased litigation risk, with individuals now able to bring direct claims for serious invasions of their privacy, or for any breach of a Privacy Act civil penalty provision, and (2) increased regulatory scrutiny of Privacy Act contraventions, even where conduct is not deliberate and where entities have relied upon investigations undertaken by third party cybersecurity or IT providers. 

In protecting against these known and emerging risks, it is a particularly important juncture for organisations to observe and implement the following.

• Keep abreast of the evolving legislative requirements and expected standards of care and diligence with respect to privacy compliance, as privacy reforms are both enacted and tested before the Courts.

• Build a privacy and data governance framework and culture which focusses on demonstrated accountability, rather than ‘light touch’ compliance. OAIC (which has expanded investigation and enforcement tools, and a new tiered civil penalty system), will have close regard to an entity’s privacy culture.  It is noted that maximum penalties have since been greatly enhanced, beyond those applicable to ACL’s contraventions (from $2.22 million to $50 million or more, for each serious or repeated interference with privacy).

• Privacy policies should be reviewed for robust compliance with APP 1.4 ahead of the first OAIC ‘privacy compliance sweep’ commencing in the first week of January 2026.  While this initial sweep will target entities who collect information in-person, further compliance reviews can be expected.

• APP entities should also prioritise a review of all automated decision-making across their businesses and make any necessary updates to their privacy policies (to comply with incoming APP 1.7, 1.8 and 1.9, ahead of the deadline of 11 December 2026).

• Remain vigilant that APP 11’s “reasonable steps” obligations now require proactive measures, both technical and organisational. These measures should be well-documented, regularly assessed, and proportionate to the nature, sensitivity and volume of data held.  They encompass, at least, robust data governance, strong cybersecurity systems and controls, effective and tested incident response plans, data minimisation and destruction procedures, clearly defined roles and responsibilities, suitably qualified staff[34] and ongoing training.  An entity will be attributed the conduct and state of mind of its directors, employees or agents.

• “Eligible data breach” obligations under the Privacy Act include reasonable and expeditious assessments and notifications without undue delays. Failure to comply with these requirements may attract significant civil penalties, depending on the nature and extent of the breach.  Reliance on a third party cybersecurity provider’s assessment of a possible or suspected data breach may not be sufficient – responsibility remains with an entity, its directors and officers.  Legal advice should be sought promptly to inform, but not impede, any required regulatory notifications. 

• Organisations are reminded of the importance of data, privacy and cyber due diligence, and appropriate protective or mitigating actions to reduce vulnerabilities, in the context of mergers and acquisitions, along with supply chains, AI usage, and dealings with contractors and other third parties who may introduce or heighten privacy risks. 

KEY TAKEAWAYS

• The first claims have been brought under the new statutory tort for serious invasions of privacy, indicative of heightened litigation risk sparked by recent privacy law reforms.

• The first civil penalty has also been ordered under the Privacy Act, with $5.8 million in penalties imposed on Australian Clinical Labs.  The Federal Court’s decision provides the first judicial guidance on the diligence required to protect personal information, and to conduct assessments and make required notifications where an “eligible data breach” has or may have occurred. 

• The first privacy compliance sweep has been announced by OAIC for January 2026, targeting privacy policies for entities who collect information in-person, but signalling further enforcement activity to come.

• As a new year priority for 2026, APP entities should review their privacy policies for compliance with APP 1.4.  They should also review all automated decision-making across their business and update privacy policies in readiness for the incoming APP 1.7, 1.8 and 1.9 in 2026.

• Reliance on investigations or advice of cybersecurity / IT providers may not be sufficient to properly assess a suspected eligible data breach or inform legal and reporting obligations. 

• APP entities should build a culture of demonstrated accountability and must ensure compliance with privacy reforms as they are successively rolled out. 

• An upward trend in privacy litigation and regulatory action is underway, in the wake of new compensation avenues and an expanded OAIC toolkit and penalty regime.  This translates to an increase in legal, financial and reputational risk for those organisations who fall short in their privacy and data governance practices.