Australian Privacy Breaches & Data Breach Litigation Risk

Introduction

Australian organisations now face heightened privacy and cybersecurity risks as data breaches become more frequent and the legal consequences more severe. Recent reforms to the Privacy Act 1988 (Cth) and the introduction of new privacy and cybersecurity laws have significantly increased both regulatory enforcement and litigation risk for not-for-profits and charities.

With the expansion of civil penalties, the introduction of a statutory tort for serious invasions of privacy, and a growing trend of data breach litigation, compliance is no longer optional. The evolving legal landscape means that organisations must review their privacy policies and practices, understand their obligations under new privacy and cybersecurity law Australia, and consider consulting a not-for-profit lawyer to manage privacy risk and litigation exposure.

Understanding the NFP Regulatory Landscape

When the Privacy Act Applies to Your NFP

Not every not-for-profit (NFP) organisation is automatically required to comply with the Privacy Act 1988 (Cth). The primary trigger for compliance is financial, as the Act generally applies to any NFP with an annual turnover of more than $3 million. This turnover includes all income from every source.

However, an organisation can fall under the Act’s jurisdiction regardless of its annual turnover. Your NFP will also need to comply with the Privacy Act 1988 (Cth) if it engages in specific activities, including if it:

• Provides a health service, even if this is not its main activity.
• Operates as a contracted service provider for an Australian Government contract.
• Trades in personal information, such as selling or purchasing supporter lists.
• Is related to a larger corporate body that is already covered by the Privacy Act 1988 (Cth).

Additionally, NFPs that are not otherwise covered can make a public commitment to good privacy practice by choosing to opt-in to be covered by the Privacy Act 1988 (Cth).

The Overlapping Roles of the OAIC & ACNC

When a data breach occurs at a registered charity, two key regulators may become involved: the Office of the Australian Information Commissioner (OAIC) and the Australian Charities and Not-for-profits Commission (ACNC). These bodies have distinct but complementary roles in overseeing the organisation’s compliance.

The OAIC is the national regulator responsible for enforcing the Privacy Act 1988 (Cth). Its primary focus is on ensuring organisations handle personal information correctly and respond appropriately to data breaches.

The ACNC, on the other hand, is the national regulator for charities and is responsible for ensuring they meet their obligations under the ACNC Governance Standards—a critical area of charity governance and ACNC compliance.

A significant data breach can trigger obligations under both regulatory frameworks:

• The OAIC would investigate the incident as a potential interference with privacy.
• The ACNC may view it as a failure to meet governance duties, such as the duty for directors to act with reasonable care and diligence under ACNC Governance Standard 5.

The Rising Threat of Regulatory Enforcement & Penalties

The OAIC’s Expanded Enforcement Powers

The OAIC has adopted a more proactive and enforcement-focused approach to privacy and cybersecurity compliance. Recent amendments to the Privacy Act 1988 (Cth) have significantly expanded the OAIC’s powers, introducing a tiered system of civil penalties that increases regulatory enforcement risk for organisations. This new structure now addresses a broader range of privacy breaches, moving beyond the previous focus on only “serious or repeated” interferences.

The updated penalty scheme under the Privacy Act 1988 (Cth) includes three distinct levels of civil penalties for different types of breaches:

• Serious Interferences: For conduct that “seriously” interferes with an individual’s privacy, the maximum penalties remain substantial, with a company facing fines of up to $50 million or more.
• ‘Non-Serious’ Interferences: A new ‘medium-level’ category has been introduced for privacy interferences that are not classified as serious, with a maximum penalty for a company in this tier of $3.3 million.
• Administrative Breaches: The OAIC can now issue infringement and compliance notices for lower-level administrative breaches, such as not having a compliant privacy policy, with fines reaching up to $330,000 for a company.

Case Study: Australian Clinical Labs & Oxfam Australia

Recent regulatory actions provide clear examples of the tangible consequences of a data breach. In the case Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224, Australian Clinical Labs faced the first-ever civil penalty order under the Privacy Act 1988 (Cth), signalling a new era of stricter regulatory enforcement. This case demonstrates that the OAIC is prepared to use its enhanced powers to pursue significant penalties against organisations following a data breach.

The not-for-profit sector is also subject to this heightened scrutiny. The OAIC’s investigation into Oxfam Australia (OAIC reference: CII21/00010) followed a 2021 data breach that affected up to 1.7 million records. In response, Oxfam offered an enforceable undertaking (EU), which the OAIC accepted. An EU is an agreement that allows a regulator to reform an organisation’s privacy practices and compliance without resorting to more drastic actions like fines.

While accepting the EU was not a formal finding that Oxfam had breached the Privacy Act 1988 (Cth), it required the organisation to implement a range of measures to improve its data handling. The terms of an EU are court-enforceable, so failure to comply can lead to further legal action. This case highlights the need for all organisations, including charities, to maintain responsible privacy practices to avoid regulatory intervention.

Increased Civil Liability from Privacy Breaches

The New Statutory Tort for Serious Invasions of Privacy

A significant change to Australia’s legal landscape is the introduction of a statutory tort for serious invasions of privacy. This new legal pathway allows individuals to sue an organisation directly for an intentional or reckless invasion of privacy, covering situations both within and outside the scope of the Privacy Act 1988 (Cth). Consequently, litigation risk for any organisation that handles personal data has increased markedly.

To succeed in a claim, a claimant must establish several elements. The court must be satisfied that:

• An intrusion into the individual’s seclusion or a misuse of their private information occurred.
• The individual had a reasonable expectation of privacy in the circumstances.
• The invasion of privacy was serious.
• The invasion was committed intentionally or recklessly, not merely negligently.
• The public interest in protecting privacy outweighs any competing public interest, such as freedom of expression or national security.

If a claim succeeds, courts can award a range of remedies. These may include:

• Damages for non-economic loss, such as emotional distress.
• Injunctions to prevent further breaches.
• In exceptional cases, punitive damages.

Direct Right of Action for Privacy Act Breaches

Alongside the statutory tort, a separate direct right of action now exists for individuals who suffer loss or damage due to a breach of the Privacy Act 1988 (Cth). This additional avenue amplifies the potential for data-breach litigation.

Before an individual can commence court proceedings, they must first lodge a complaint with the OAIC. If the OAIC decides there is no reasonable likelihood of resolving the complaint through conciliation, the individual may proceed with legal action, and the court can make any order, including unlimited damages.

The Growing Risk of Data Breach Class Actions

Mass data breaches increasingly attract class action lawsuits. These actions represent a significant financial and reputational risk because they aggregate numerous individual claims into one large-scale challenge.

The statutory tort and the direct right of action are expected to fuel this trend, making it easier for affected groups to seek compensation. Consequently, organisations now face a higher risk of class action litigation, with the potential for substantial financial penalties and long-term damage to public trust.

Directors’ Duties & Personal Liability

ACNC Governance Standard 5 & Your Directors’ Responsibilities

For registered charities, directors must adhere to the duties outlined in ACNC Governance Standard 5. These responsibilities are directly relevant to data governance and how an organisation manages privacy and cybersecurity risks. A significant data breach could be viewed as a failure to meet these duties.

Under Governance Standard 5, a charity must ensure its directors comply with several key duties, including:

• The duty to act with reasonable care and diligence requires directors to exercise their powers with the degree of care that a reasonable person would in their position. This includes taking appropriate steps to understand and oversee the organisation’s data protection measures.
• The duty to act in good faith means all actions must be in the best interests of the charity and aligned with its charitable purposes. Protecting the personal information of supporters and beneficiaries is integral to maintaining trust and acting in the organisation’s best interest.
• The duty not to misuse position or information prohibits directors from using their role or the information they access to gain a personal advantage or to cause harm to the charity. This duty is particularly critical in the context of handling sensitive personal data.
• The duty to manage financial affairs responsibly is focused on finances but also extends to ensuring that resources are adequately allocated to protect critical assets, including personal information, from a potential breach.

Personal Liability & the Risk of ASIC Enforcement

Directors and officers have a fundamental duty to act with care and diligence, which involves protecting their organisation from foreseeable risks of harm.

In the current digital landscape, cyber-attacks and data breaches are considered a significant and foreseeable risk.

Consequently, a failure to implement adequate privacy and cybersecurity protections can expose directors and officers to personal liability for breaching their duty of care. The Australian Securities and Investments Commission (ASIC) has indicated its intention to pursue enforcement action against individual directors and officers for serious failures to mitigate these risks.

This signals a shift towards holding individuals accountable for an organisation’s cybersecurity posture, increasing the personal litigation risk for those in leadership positions.

Building a Litigation-Ready Incident Response Framework

Key Elements of a Data Breach Response Plan

A core part of good privacy practice is being prepared for when things go wrong. Having a data breach response plan in place is essential for any organisation, as it enables a quick response to a security incident. This preparation can minimise the potential harm to individuals and reduce the financial and reputational damage to your organisation under the Notifiable Data Breaches scheme.

An effective response plan should be built on foundational privacy principles. These key elements help reduce the impact of a potential data breach and demonstrate responsible privacy practices. Your plan should incorporate processes to:

• Minimise Data Collection: Only collect personal information that your organisation truly needs. Avoid collecting data simply because it might be useful later, as this increases privacy and cybersecurity risks.
• Ensure Secure Storage: Take reasonable steps to protect the personal information you hold from misuse, interference, loss, and unauthorised access. This includes both digital and physical security measures.
• Implement Data Retention and Deletion Policies: Your organisation should only retain personal information for as long as it is needed for a specific purpose. Establish clear systems for regularly reviewing and securely destroying or de-identifying data that is no longer required.

Managing Third-Party & Vendor Risk

Your organisation is responsible for the personal information it shares with third-party service providers, such as fundraising agencies or software vendors. As the Qantas data breach demonstrated, a compromise of a third-party provider is a direct risk to your organisation and its stakeholders. It is critical to conduct due diligence and establish strong contractual protections.

When engaging external vendors, you should take reasonable steps to ensure their privacy practices meet community expectations and your legal obligations. Key measures include:

• Reviewing Contracts Carefully: Before signing an agreement, understand how the third party collects, handles, and stores personal information. The contract should specify how data can be used, how it will be secured, and how it will be returned or deleted at the end of the term.
• Assessing their Security Posture: Request documentation like the vendor’s privacy policy, information security policy, and data breach response plan to ensure they have appropriate processes in place.
• Conducting Periodic Reviews: Once a contract is in place, conduct regular reviews of the arrangements to ensure ongoing compliance and maintain a clear audit trail of what personal information the third party holds.
• Confirming Data Deletion: At the end of the contract, require the third party to confirm in writing that they have deleted all personal information in accordance with the agreed terms.

Conclusion

Australian not-for-profit organisations face a heightened risk of data breach litigation due to expanded regulatory enforcement, significant civil penalties, and new legal pathways for individuals to seek compensation. This evolving landscape demands proactive privacy compliance, effective incident response planning, and a clear understanding of directors’ personal liabilities to manage privacy and cybersecurity risks.

To ensure your organisation’s privacy policies and practices are fully compliant with the new privacy and cybersecurity law in Australia, contact the expert not-for-profit lawyers at LawBridge for specialised legal advice. Our team can help you review your data protection framework, manage your privacy risk, and prepare for the legal implications of a data breach.

Frequently Asked Questions