Australia — Enforcement & Penalties

The Office of the Australian Information Commissioner (OAIC) is the statutory regulator responsible for enforcing the Privacy Act 1988 (Cth). The Australian Information Commissioner holds a range of investigative and enforcement powers under Part V and Part VIA of the Privacy Act, updated most recently by the Privacy and Other Legislation Amendment Act 2024 (POLA Act), which commenced on 10 December 2024.

Investigative powers

The Commissioner may investigate privacy complaints lodged by individuals under section 40 of the Privacy Act, and may also initiate investigations on the Commissioner's own motion under section 40A (Commissioner-initiated investigations, or "CIIs"). Prior to commencing a CII, the Commissioner may conduct preliminary inquiries under section 42(2) to determine whether a full investigation is warranted.

During an investigation, the Commissioner has compulsory information-gathering powers under sections 44–45, including the power to require an entity to provide information or documents, and to compel a person to attend before the Commissioner. The Commissioner may also enter premises and inspect documents by consent or with a warrant under section 68. Failure to comply with a notice to give information under section 66(1) is itself a civil penalty provision; the OAIC may issue an infringement notice of 12 penalty units (individuals) or 60 penalty units (bodies corporate) under section 80UB.

Enforcement mechanisms

The Commissioner's enforcement powers escalate from collaborative engagement to formal legal action:

• Privacy assessments under section 33C: The OAIC may conduct assessments of an entity's privacy practices and issue non-binding recommendations.

• Enforceable undertakings under section 80V: The Commissioner may accept a court-enforceable undertaking from an entity to address privacy breaches, with breach of the undertaking enforceable in the Federal Court.

• Determinations under section 52: Following a complaint investigation or CII, the Commissioner may make a formal determination requiring the entity to take specified action (e.g., cease the act or practice, redress loss or damage, implement systems to prevent recurrence). Under section 52(1B), the Commissioner may also declare that the entity seriously and/or repeatedly interfered with privacy. Determinations are enforceable in the Federal Court or Federal Circuit and Family Court under section 55A.

• Injunctions under section 80W: The Commissioner may seek an injunction from a court to prevent conduct that would contravene the Privacy Act, available before, during, or after an investigation.

• Civil penalty proceedings under section 80U: The Commissioner may apply to the Federal Court or Federal Circuit and Family Court for a civil penalty order against an entity that has contravened a civil penalty provision in the Privacy Act. Applications must be made within six years of the alleged contravention (section 80U(2)).

Collaborative approach

The OAIC's Privacy Regulatory Action Policy articulates a graduated regulatory approach that favours engagement, advice, and support over deterrence and punishment where appropriate, selecting the enforcement tool proportionate to the risk and harm involved. The OAIC also collaborates with other Australian regulators and international privacy authorities, including through the APEC Cross-border Privacy Enforcement Arrangement and the Global Privacy Enforcement Network.

The Commissioner has information-sharing powers under sections 33A and 33B, enabling disclosure to enforcement bodies, alternative complaint bodies, State or Territory privacy authorities, and public disclosure where satisfied it is in the public interest.

Source: Privacy Act 1988 (Cth) Source: OAIC Privacy Regulatory Action Policy Source: OAIC Guide to Privacy Regulatory Action – Chapter 2

The Privacy and Other Legislation Amendment Act 2024 (POLA Act) introduced a three-tier civil penalty regime for privacy interferences, replacing the previous single-tier framework. The amendments to the Privacy Act 1988 commenced on 10 December 2024 and apply to conduct after that date. Civil penalty applications are made by the Commissioner under section 80W to the Federal Court or the Federal Circuit and Family Court of Australia; the court determines the actual penalty amount within the statutory maxima, taking into account aggravating and mitigating factors.

Tier 1: Serious interference with privacy — section 13G

Section 13G sets the maximum civil penalty for a serious interference with the privacy of an individual. The court must be satisfied that the interference involves one or more of the following elements: a substantial privacy contravention; a high degree of negligence or recklessness; conduct causing, or likely to cause, substantial damage or distress; a significant quantity of personal information; or sensitive information as defined in Australian Privacy Principle 1. The POLA Act removed the "repeated" threshold for this top tier — a single serious interference now suffices.

For a person other than a body corporate (individuals, partnerships, unincorporated associations, sole traders), the maximum penalty is $2,500,000 per contravention.

For a body corporate, the maximum penalty is the greatest of:

• $50,000,000;
• three times the value of any benefit obtained directly or indirectly by the body corporate and any related bodies corporate that is reasonably attributable to the contravention; or
• if the court cannot determine the value of that benefit, 30 percent of the adjusted turnover of the body corporate during the breach period (defined as the 12-month period ending at the end of the month in which the conduct constituting the contravention occurred).

The adjusted-turnover calculation follows the methodology in Division 2 of Part VI of the Competition and Consumer Act 2010 (Cth) and may require accounting expert evidence in contested proceedings.

Tier 2: Non-serious interference with privacy — section 13H

Section 13H applies to an interference with the privacy of individuals that does not meet the serious-interference threshold under section 13G. This mid-tier penalty applies to contraventions that are substantive but lack the aggravating features (high negligence, large volume, sensitive information, or substantial damage) required for a section 13G finding.

The maximum penalty under section 13H is 2,000 penalty units per contravention. At the current penalty-unit value of $330 (as of 1 July 2024 under section 4AA of the Crimes Act 1914 (Cth)), this equates to a maximum of $660,000 per contravention. (Penalty-unit values are indexed annually; practitioners should verify the current unit value at the time of assessment.)

Section 13H applies uniformly to all entities — there is no body-corporate multiplier or turnover-based alternative calculation for this tier.

Tier 3: Infringement notices for specified contraventions — section 13K

Section 13K designates certain civil penalty provisions for which the Commissioner may issue infringement notices under section 80UB, avoiding the need for court proceedings. Infringement-notice penalties are materially lower than court-imposed civil penalties and are paid directly to the Commonwealth. An entity may choose not to pay, in which case the OAIC may commence court proceedings for the underlying contravention.

The infringement-notice provisions include failure to comply with a notice to give information or produce documents (section 66(1)), and specified contraventions of the Australian Privacy Principles or the notifiable data breaches scheme set out in the regulations. Under section 80UB and Part 5 of the Regulatory Powers (Standard Provisions) Act 2014 (Cth), the maximum infringement penalty is expressed in penalty units and varies depending on whether the recipient is a body corporate and, if so, whether it is a listed corporation.

As of 10 December 2024, the OAIC has not yet published the regulations specifying the precise infringement-notice amounts for each listed provision, but the OAIC's Guide to Privacy Regulatory Action (Chapter 8, published December 2024) states that the infringement-notice amount will be 12 penalty units for individuals and 60 penalty units for bodies corporate that are not listed corporations. (At $330/unit, this equates to $3,960 and $19,800 respectively.) For publicly listed corporations, the maximum is higher but the precise multiple is set by regulation; early OAIC guidance indicated $66,000 per infringement for listed companies.

Infringement notices must be issued within 12 months of the alleged contravention. The recipient may apply to the Commissioner for withdrawal of the notice by written representation, and the OAIC's published policy states that withdrawal is appropriate where the recipient provides persuasive evidence that the alleged contravention did not occur or that issuing the notice was otherwise inappropriate.

Multiple contraventions and compounding exposure

Under section 80Z, each act or omission that contravenes a civil penalty provision is a separate contravention for penalty purposes. In privacy-breach litigation, this often means that a single data-breach incident affecting thousands of individuals may give rise to one penalty per individual whose privacy was interfered with. The first Australian civil penalty decision under the Privacy Act — Australian Information Commissioner v Australian Clinical Labs Limited (2025) — awarded a total penalty of $5.8 million comprising separate penalties for breach of Australian Privacy Principle 11.1 ($4.2M), breach of the notifiable data breaches assessment obligation under section 26WH(2) ($800K), and breach of the notification obligation under section 26WK(2) ($800K), all in respect of a single 2022 cyberattack affecting 223,000 individuals. Justice Halley's reasons confirmed that the court may impose a separate penalty for each affected individual, though in that case the parties agreed to consolidate the penalties and the court accepted the joint submission.

Practitioners advising on exposure should assess penalty risk on both a per-contravention and per-individual basis, particularly where a breach involves large volumes of personal information or a systemic failure across a customer base. The tiered penalty regime gives the court (or the OAIC, for infringement notices) flexibility to calibrate the sanction to the seriousness of the conduct, the size of the entity, and the harm to individuals.

Source: Privacy Act 1988 (Cth) — sections 13G, 13H, 13K, 80U, 80UB, 80W, 80Z Source: OAIC Guide to Privacy Regulatory Action — Chapter 7: Civil penalties Source: OAIC Guide to Privacy Regulatory Action — Chapter 8: Infringement notices Source: Crimes Act 1914 (Cth) — section 4AA (penalty unit value)

Individuals in Australia have two statutory pathways to seek compensation for privacy interferences, each with distinct procedural requirements, thresholds, and remedies. The first pathway — complaint to the Office of the Australian Information Commissioner (OAIC) under section 36 of the Privacy Act 1988 (Cth) — has been available since the Act's inception and allows the Commissioner to make a binding determination requiring the respondent entity to pay compensation. The second pathway — a direct tort claim in court under Schedule 2 of the Privacy Act — was added by the Privacy and Other Legislation Amendment Act 2024 (POLA Act) and commenced on 10 December 2024; it is available only for serious invasions of privacy and operates independently of the complaint regime.

Pathway 1: Complaint to the OAIC and determination under section 52

Under section 36(1) of the Privacy Act, an individual may lodge a complaint with the Commissioner about an act or practice that may be an interference with privacy under section 13 — typically, a breach of one or more of the Australian Privacy Principles (APPs) or the notifiable data breaches (NDB) scheme. The Commissioner investigates the complaint and may make a determination under section 52 if the complaint is substantiated.

A section 52 determination may include a declaration that the complainant (or, in the case of a representative complaint, the class members) is entitled to a specified amount by way of compensation for any loss or damage suffered by reason of the act or practice (section 52(1)(b)(iii) or section 52(1A)(d)). "Loss or damage" is defined in section 6AAA to include injury to the complainant's feelings or humiliation suffered by the complainant, in addition to economic loss. The OAIC's Guide to Privacy Regulatory Action (Chapter 5, December 2024) states that compensation is intended to restore the complainant to the position they would have been in had the privacy breach not occurred, and the OAIC will require evidence of loss or damage directly resulting from the breach.

The determination itself is not a court order, but it is enforceable in the Federal Court or the Federal Circuit and Family Court of Australia under section 55A. Either the complainant or the Commissioner may apply to a court for an order directing compliance with the determination. A determination ordering compensation is enforceable as if it were a monetary judgment of the court (section 62). In the landmark determination 'WP' — Australian Information Commissioner v Secretary, Department of Immigration and Border Protection [2021] AICmr 1, the Commissioner ordered the Department to pay compensation for non-economic loss to 1,297 class members affected by a 2014 unauthorised disclosure of personal information on a public website; the determination set out a tariff of indicative compensation amounts ranging from $3,000 to $15,000 per affected individual, depending on the category and severity of loss or distress experienced.

Representative complaints may be lodged under section 38(1) where the complainant and a class of individuals are all affected by the same alleged privacy interference. Representative complaints provide a mechanism analogous to class actions: a single determination can apply to thousands of class members, and the Commissioner may declare that class members are entitled to compensation under section 52(1A)(d). The largest representative complaints to date have been the Medibank and Optus data breach matters; as of June 2026, those investigations remain ongoing, with parallel civil penalty proceedings initiated by the OAIC in the Federal Court.

Pathway 2: Statutory tort for serious invasions of privacy — Schedule 2

Schedule 2 of the Privacy Act establishes a cause of action in tort for serious invasions of privacy, added by the POLA Act and operative from 10 December 2024. An individual (the plaintiff) may bring proceedings directly in a court of competent jurisdiction (Federal Court, Federal Circuit and Family Court, or a State or Territory supreme court) without first lodging a complaint with the OAIC.

Under clause 7(1) of Schedule 2, the plaintiff must prove three elements:

1. The defendant invaded the plaintiff's privacy by (a) intruding upon the plaintiff's seclusion, or (b) misusing information relating to the plaintiff (including by collecting, using, or disclosing the information);
2. A person in the position of the plaintiff would have had a reasonable expectation of privacy in all the circumstances; and
3. The invasion of privacy was serious.

"Serious" is defined in clause 7(2) by reference to five factors: (a) the nature and extent of the invasion; (b) the circumstances in which the invasion occurred; (c) whether the defendant knew, or ought reasonably to have known, that the plaintiff did not consent to the invasion; (d) the effect of the invasion on the plaintiff; and (e) any other relevant matter. The plaintiff bears the burden of proving seriousness — the tort does not cover non-serious privacy intrusions, and it is narrower in scope than the OAIC complaint regime (which covers all APP breaches regardless of severity).

The court may grant remedies including damages (clause 11), injunctions (clause 9), and other remedies the court considers appropriate (clause 12). Damages may include compensation for economic loss, non-economic loss (distress, humiliation, injury to feelings), and — where the defendant's conduct was intentional or reckless and justified doing so — exemplary or punitive damages (clause 11(3)). There is no statutory cap on damages under the tort. The plaintiff must commence proceedings within three years of the day on which the plaintiff first became aware of the invasion of privacy, or within three years of the invasion itself, whichever is later; however, the court may extend this period if satisfied it is just and reasonable to do so (clause 14).

Defences are set out in clause 8 and include lawful authority (acting under or in accordance with an Australian law or a court or tribunal order), consent, necessity, and defence of persons or property. Where the invasion involved publication of information, the defendant may also invoke the defamation-like defences of absolute privilege, qualified privilege, and honest opinion (clause 8(1)(e)–(g)). Clause 15 carves out an exemption for journalists and media organizations acting in accordance with public interest journalism standards, and clauses 16–16B exempt government agencies (other than intelligence and law enforcement bodies) and their staff members for conduct done in good faith in the performance of official functions, and fully exempt law enforcement bodies.

Schedule 2 is intended to be read and construed separately from the rest of the Privacy Act (clause 6(2)); the tort operates independently, and a finding that conduct breached an APP does not automatically establish the tort (nor vice versa). The first reported decision under the tort — Kurraba Group Pty Ltd & Anor v Williams [2025] NSWDC 396 — was heard in the New South Wales District Court in early 2025; the judgment has not yet been published in full as of June 2026.

Comparison of the two pathways

| Feature | OAIC complaint (s 36, s 52) | Statutory tort (Schedule 2) | |---------|---------------------------|---------------------------| | Threshold | Any interference with privacy (APP breach or NDB breach) | Serious invasion of privacy only | | Forum | Complaint to OAIC; enforcement in court under s 55A if necessary | Direct court proceeding | | Damages cap | No statutory cap; OAIC discretion | No statutory cap; court discretion | | Exemplary damages | Not available | Available (clause 11(3)) | | Representative mechanism | Representative complaint (s 38) | Class action under Part IVA Federal Court Act or equivalent State/Territory rules | | Time limit | None for lodging complaint; 6 years for court enforcement of determination (s 80U(2)) | 3 years from awareness or invasion, extendable (clause 14) | | Cost | Complaint to OAIC is free; court enforcement may attract costs | Court filing fees and litigation costs (adverse costs risk) | | Defences | Determined by Commissioner under APP framework | Statutory defences in clause 8 including lawful authority, consent, privilege | | Exemptions | Journalists exemption under s 6C(1); small business exemption under s 6D | Journalists exemption (clause 15); government/LEO exemptions (clauses 16–16B) |

Practitioners advising on exposure should assess both pathways. High-volume data breaches affecting thousands of individuals are likely to trigger both representative complaints to the OAIC (seeking determination-based compensation, often benchmarked to the 'WP' tariff) and class actions under the Schedule 2 tort (seeking potentially higher damages including exemplary damages where conduct was egregious). The Medibank and Optus matters illustrate this dual-track exposure: the OAIC has filed civil penalty proceedings under section 13G, separate representative complaints are under investigation by the OAIC, and third-party-funded class actions have been commenced in the Federal Court under Schedule 2 and general law negligence claims.

Where a breach is substantive but not "serious" within the meaning of clause 7(2) of Schedule 2, the OAIC complaint pathway remains the only avenue for individual compensation (unless the plaintiff can establish a separate common-law tort such as breach of confidence or negligence, which are preserved by clause 21 of Schedule 2).

Source: Privacy Act 1988 (Cth) — sections 6AAA, 13, 36, 38, 52, 55A, 62; Schedule 2 Source: OAIC Guide to Privacy Regulatory Action — Chapter 1: Privacy complaint handling process Source: OAIC Representative complaints update (15 January 2024)

When the Federal Court or the Federal Circuit and Family Court of Australia imposes a civil penalty under section 80U of the Privacy Act 1988 (Cth), the court must determine the penalty amount within the statutory maximum by applying the factors set out in section 80Z. Section 80Z was enacted as part of the Privacy and Other Legislation Amendment Act 2024 (POLA Act) and commenced on 10 December 2024; it codifies and expands upon common-law penalty-setting principles previously applied by Australian courts in regulatory civil penalty proceedings.

Section 80Z statutory factors

Section 80Z(1) requires the court to consider all relevant matters, including the following twelve factors:

(a) The nature and extent of the contravention — the court examines the scope of the breach, the number of individuals affected, the volume and sensitivity of the personal information involved, and the duration of the contravening conduct. In Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224, Justice Halley found that the breach of Australian Privacy Principle 11.1 (failure to secure personal information) was "extensive and significant" where it affected more than 223,000 individuals and involved health information, contact information, and financial data including tax file numbers.

(b) The circumstances in which the contravention took place — the court considers the operational context, including the entity's industry, size, sophistication, and specific vulnerabilities. In the ACL case, the court noted that the breach occurred shortly after ACL's acquisition of Medlab Pathology's IT systems in December 2021, that ACL was aware of elevated cybersecurity risks during the integration period, and that the Medlab IT systems had known deficiencies (lack of multi-factor authentication, minimal firewall log retention, no data-loss-prevention tools) that ACL had failed to remediate before the February 2022 cyberattack.

(c) Whether the entity has previously been found to have engaged in similar conduct — the court assesses the entity's compliance history. ACL had no prior Privacy Act contraventions; this was treated as a mitigating factor (see factor (j) below).

(d) The level of seniority of the persons involved in the contravention — the court examines whether senior management was involved in, or aware of, the contravening conduct. In ACL, Justice Halley found that "ACL's most senior management had oversight of the facts that gave rise to ACL's contraventions" and that the cybersecurity deficiencies and delayed breach notification "occurred at the highest levels of the organisation," which the court considered an aggravating factor.

(e) Whether the contravention was intentional, reckless or negligent — the court assesses the entity's state of mind. The ACL contraventions were characterised as negligent rather than intentional; ACL's overreliance on its third-party cybersecurity provider (StickmanCyber) and failure to interrogate the sufficiency of that provider's limited investigation demonstrated a lack of internal capability and an unreasonable reliance on inadequate external advice, but the court did not find deliberate disregard of privacy obligations.

(f) Whether the entity took steps to avoid or mitigate the contravention — the court considers preventive measures. In ACL, the court found that ACL's cyber incident playbook did not clearly define roles and responsibilities, did not provide detail on containment processes, lacked adequate testing, and failed to reflect the specific vulnerabilities of the Medlab IT systems. The absence of effective preventive steps was an aggravating factor.

(g) The extent to which the entity cooperated with the Commissioner in relation to the contravention — the court rewards cooperation. ACL was found to have "cooperated with the investigation undertaken by the office of the Commissioner"; this cooperation, along with ACL's admission of liability and agreement to a statement of agreed facts, was a significant mitigating factor that reduced the penalty quantum and avoided protracted litigation.

(h) Whether the entity has engaged in conduct that constitutes an interference with the privacy of individuals after becoming aware of the contravention — the court examines post-breach conduct. In ACL, the court noted that ACL took steps to improve its cybersecurity posture after the breach, including commencing "a program of works to uplift the company's cybersecurity capabilities"; these remedial actions demonstrated an emerging culture of compliance and were treated as a mitigating factor.

(i) The extent of loss or damage suffered because of the contravention — the court assesses actual and potential harm. In ACL, the court considered the "potential harm caused by the contraventions, including the risk of financial harm, distress, psychological harm, and material inconvenience to the individuals whose personal information was compromised." The exfiltrated data was published on the dark web, creating ongoing risk of identity theft and financial fraud. The court also found that ACL's four-month delay in notifying the Commissioner (from March 2022, when the cyberattack occurred, to 10 July 2022) "impacted on the Commissioner's ability to perform her statutory function of monitoring ACL's notification to individuals whose personal information may have been compromised," compounding the harm.

(j) Whether the entity has previously been found to have engaged in any conduct that constitutes an interference with the privacy of individuals — this factor overlaps with factor (c) but is broader, encompassing any prior privacy interferences regardless of whether they resulted in formal enforcement. ACL had no prior history, which Justice Halley treated as a mitigating factor.

(k) The deterrent effect that any pecuniary penalty may have — the court considers both specific deterrence (deterring the respondent entity from future contraventions) and general deterrence (sending a signal to other APP entities). In ACL, Justice Halley emphasised that "the penalty needed to be sufficient to deter ACL from future contraventions and to send a strong message to other entities about the importance of complying with privacy obligations." The court noted that ACL was one of Australia's largest private hospital pathology businesses with annual revenue peaking at $995.6 million at the time of the breaches, and that the penalty must be large enough not to be perceived as a mere "cost of doing business."

(l) Any other relevant matter — this is a residual category permitting the court to consider factors not enumerated in (a)–(k). Courts have historically considered the respondent's financial capacity to pay, public apologies, and the totality principle (ensuring that the aggregate penalty across multiple contraventions is not oppressively severe).

Application in the Australian Clinical Labs case

The ACL matter was resolved by consent: ACL and the Commissioner filed a statement of agreed facts and admissions (SAFA) and proposed a joint penalty of $5,800,000. The court's role was to determine whether the agreed penalty fell within the "permissible range" and was appropriate in light of the section 80Z factors. Justice Halley accepted the proposed penalty, noting that it was "within the permissible range of penalties" and reflected an "instinctive synthesis" of the statutory factors.

However, Justice Halley also observed that the agreed penalty "may appear 'manifestly inadequate' or at least outside the range of penalties that would act as effective deterrence" given the nature and scale of the contraventions. ACL was exposed to a theoretical maximum penalty of approximately $495 billion (223,000 individuals × $2.22 million per contravention under the penalty regime in force at the time of the breach, before the POLA Act amendments). Against that maximum, the $5.8 million penalty represented approximately 0.001% of the theoretical exposure. The court accepted the penalty nonetheless, giving weight to ACL's cooperation, admissions, remedial steps, and the totality principle, and noting that the predictability of outcomes in civil penalty proceedings (promoted by agreed penalties) serves the public interest by encouraging entities to cooperate, admit liability, and avoid protracted litigation.

The penalties were allocated as follows:

• $4,200,000 for breach of Australian Privacy Principle 11.1 (failure to take reasonable steps to protect personal information from unauthorised access, comprising more than 223,000 separate contraventions of section 13G(a) of the Privacy Act);
• $800,000 for breach of section 26WH(2) (failure to carry out a reasonable and expeditious assessment of whether an eligible data breach had occurred within 30 days of the cyberattack); and
• $800,000 for breach of section 26WK(2) (failure to notify the Commissioner "as soon as practicable" after forming the view by 16 June 2022 that there were reasonable grounds to believe an eligible data breach had occurred — the court found that ACL should have notified within two to three days, not 24 days later on 10 July 2022).

ACL was also ordered to pay $400,000 toward the Commissioner's legal costs.

Practical implications for penalty exposure assessment

Practitioners advising on civil penalty exposure should:

1. Assess on a per-contravention and per-individual basis. Section 80Z provides that each act or omission that contravenes a civil penalty provision is a separate contravention for penalty purposes. In data-breach cases, this typically means one contravention per affected individual, compounding exposure materially in high-volume breaches.

1. Weight the section 80Z factors in light of ACL. The ACL judgment identifies which factors the court treated as aggravating (senior-management involvement, extensive harm, delay in notification, inadequate preventive systems) and mitigating (cooperation, admissions, remedial steps, no prior contraventions, agreed penalty avoiding litigation cost).

1. Document cooperation and remediation. Post-breach conduct — particularly cooperation with the OAIC investigation, voluntary admissions, public apologies, and demonstrable cybersecurity uplifts — can materially reduce penalty quantum and narrow the gap between the theoretical maximum and the imposed penalty.

1. Benchmark agreed penalties cautiously. The ACL penalty was agreed by consent and approved by the court as within the permissible range, but the court's observation that it "may appear manifestly inadequate" signals that contested proceedings or more egregious conduct (intentional or reckless breaches, repeat offenders, lack of cooperation) may attract substantially higher penalties, particularly under the post-December 2024 penalty regime (section 13G maxima of $50 million or 30% of turnover for bodies corporate).

1. Apply the penalty regime in force at the time of the contravention. The ACL penalties were calculated under the pre-POLA Act regime (maximum $2.22 million per contravention). Contraventions occurring on or after 10 December 2024 are subject to the three-tier regime under sections 13G, 13H, and 13K, with materially higher maxima.

Source: Privacy Act 1988 (Cth) — section 80Z Source: [Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224](https://www.judgments.fedcourt.gov.au/judgments/Judgments/fca/single/2025/2025fca1224) Source: OAIC media release — Australian Clinical Labs ordered to pay penalties (9 October 2025)

The Privacy Act 1988 (Cth) contains criminal offences that are prosecuted by the Commonwealth Director of Public Prosecutions (CDPP), operating independently of the civil penalty regime administered by the Office of the Australian Information Commissioner (OAIC). Criminal liability under the Privacy Act is narrow in scope and reserved for systemic obstruction of regulatory investigations rather than substantive privacy breaches; a breach of the Australian Privacy Principles (APPs) or the notifiable data breaches (NDB) scheme does not itself constitute a criminal offence but may attract civil penalties under sections 13G, 13H, or 13K.

Section 66(1AA): Criminal offence for systemic failure to comply with information notices

The principal criminal offence in the Privacy Act is found in section 66(1AA), enacted as part of the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (the 2022 Enforcement Act) and operative from 12 December 2022. Section 66(1AA) targets body corporates (corporations, companies, and incorporated entities) that engage in conduct that constitutes a system of conduct or a pattern of behaviour in contravention of section 66(1).

Section 66(1) itself is a civil penalty provision (not a criminal offence when committed in isolation) that prohibits a person from failing or refusing to give information, answer a question, or produce a document or record when required to do so under the Privacy Act. The OAIC exercises compulsory information-gathering powers under Part V of the Privacy Act (investigations) and Division 3A (privacy assessments), issuing notices under sections 44, 45, and 68 that require entities to provide information, attend before the Commissioner, or produce documents. A single failure to comply with such a notice may result in an infringement notice (12 penalty units for individuals, 60 penalty units for bodies corporate) or civil penalty proceedings (maximum 60 penalty units for individuals, 300 penalty units for bodies corporate) under section 66(1).

However, where a body corporate (and only a body corporate — individuals are excluded from section 66(1AA) liability) engages in repeated or systemic non-compliance with information notices — for example, ignoring multiple notices during a single investigation, providing incomplete or evasive responses across a series of requests, or implementing a corporate policy of non-cooperation with the OAIC — the conduct crosses into criminal territory. Section 66(1AA) provides:

> A body corporate commits an offence if the body corporate engages in conduct that contravenes subsection (1) and that conduct constitutes a system of conduct or a pattern of behaviour.

The maximum penalty is 300 penalty units. At the current penalty-unit value of $330 (as of 1 July 2024 under section 4AA of the Crimes Act 1914 (Cth)), this equates to a maximum fine of $99,000 per offence. (Penalty-unit values are indexed annually; practitioners should verify the current unit value at the time of assessment.)

The terms "system of conduct" and "pattern of behaviour" are not defined in the Privacy Act but are borrowed from the civil penalty enforcement framework in the Competition and Consumer Act 2010 (Cth) and are intended to capture systematic or repeated contraventions rather than isolated failures. The OAIC's Guide to Privacy Regulatory Action (Chapter 8, published December 2024) states that where a body corporate has engaged in "serious, systemic conduct or a pattern of behaviour," the Commissioner cannot issue an infringement notice under section 80UB but may instead refer the matter to the Commonwealth Director of Public Prosecutions for criminal prosecution.

Mental element and burden of proof

Section 66(1AA) is a strict liability offence modified by the general principles of criminal responsibility set out in Chapter 2 of the Criminal Code Act 1995 (Cth), which applies to all offences against the Privacy Act (section 6AA of the Privacy Act). Under section 5.6 of the Criminal Code, strict liability means the prosecution need not prove fault (intention, knowledge, recklessness, or negligence) with respect to any physical element of the offence, but the defendant may raise defences of mistake of fact under section 9.2 or other defences available under the Code.

The prosecution must prove beyond reasonable doubt that:

1. The defendant is a body corporate;
2. The body corporate was required to give information, answer a question, or produce a document or record under the Privacy Act (typically under a notice issued by the OAIC under sections 44, 45, or 68);
3. The body corporate failed or refused to comply with that requirement; and
4. The conduct constituted a system of conduct or a pattern of behaviour (not a single isolated failure).

The fourth element — systemic or patterned conduct — distinguishes criminal liability from civil penalty exposure and requires the prosecution to demonstrate that the non-compliance was more than an inadvertent or one-off omission. Evidence may include multiple unanswered notices, deliberate evasion, partial or misleading responses over time, or internal corporate policies or communications showing an intent to obstruct or delay the investigation.

Prosecution pathway: OAIC referral to the CDPP

The OAIC does not prosecute criminal offences; that function rests exclusively with the Commonwealth Director of Public Prosecutions (CDPP) under the Director of Public Prosecutions Act 1983 (Cth). Where the OAIC's investigation reveals conduct that may constitute a criminal offence under section 66(1AA), the OAIC refers the matter to the CDPP. The CDPP applies the Prosecution Policy of the Commonwealth (updated 28 March 2024) in deciding whether to prosecute, assessing whether there is sufficient admissible evidence to support a reasonable prospect of conviction and whether prosecution is in the public interest.

As of June 2026, no prosecutions have been publicly reported under section 66(1AA). The offence was enacted in December 2022 as a backstop enforcement tool to address the most egregious cases of corporate obstruction, and the OAIC's published guidance indicates the Commissioner will exhaust civil remedies — including infringement notices, enforceable undertakings, and civil penalty proceedings — before referring a matter for criminal prosecution. The OAIC's Privacy Regulatory Action Policy (current as of December 2024) articulates a graduated regulatory approach that favours engagement, advice, and support over deterrence and punishment where appropriate, reserving criminal referral for conduct that demonstrates serious and deliberate non-compliance with regulatory process.

Relationship to civil penalties and the "double jeopardy" rule

A body corporate cannot be both convicted of a criminal offence under section 66(1AA) and subjected to a civil penalty order under section 66(1) for substantially the same conduct. Section 80U(5) of the Privacy Act (civil penalty enforcement) provides that a court must not make a civil penalty order against a person if the person has been convicted of an offence constituted by conduct that is substantially the same as the conduct constituting the contravention. Conversely, section 66(1B) provides that subsection (1) (the civil penalty provision) does not apply to conduct to the extent that the conduct constitutes an offence against subsection (1AA). These provisions prevent "double jeopardy" — simultaneous criminal and civil liability for the same conduct — consistent with the principle in Pearce v The Queen (1998) 194 CLR 610.

In practice, the OAIC and CDPP will elect one pathway: criminal prosecution under section 66(1AA) for systemic obstruction, or civil penalty proceedings under section 66(1) for isolated failures. The existence of the criminal offence creates a deterrent against corporate policies of non-cooperation and provides the OAIC with escalation authority to refer the most serious cases of procedural obstruction to the CDPP.

Comparison to related criminal offences outside the Privacy Act

Practitioners should distinguish section 66(1AA) from other Commonwealth criminal offences that may arise in a privacy or data-breach context:

• **Section 70(1) of the Crimes Act 1914 (Cth)**: Unauthorised disclosure of information by a Commonwealth officer (maximum 2 years' imprisonment). This offence applies to individuals who are or were Commonwealth officers and who disclose information obtained in the course of their duties; it does not apply to private-sector APP entities or to corporate conduct.

• **Section 122.4 of the Criminal Code (Cth)**: Unauthorised disclosure of Commonwealth information (maximum 2 years' imprisonment). This offence overlaps with section 70 of the Crimes Act and applies where a Commonwealth officer or contractor discloses inherently harmful information without authorisation.

• **Part VIIB of the Crimes Act 1914 (Cth)**: Identification information offences, including dealing in identification information (section 372.1 of the Criminal Code, maximum 5 years' imprisonment) and possession of identification information with intent to commit an indictable offence (section 372.2, maximum 3 years' imprisonment). These offences may be charged where personal information (particularly identity documents or identification data) is obtained, possessed, or used with intent to commit fraud or other offences, and they operate independently of the Privacy Act.

• Schedule 3 of the Privacy and Other Legislation Amendment Act 2024 (POLA Act): "Doxxing" offences (unauthorised publication of personal data with intent to cause harm), which commenced on 10 December 2024 and are codified as new offences in the Criminal Code. The maximum penalties are 6 years' imprisonment (aggravated doxxing) and 3 years' imprisonment (basic doxxing). These offences target malicious publication of personal information (e.g., addresses, phone numbers, images) with intent to cause physical harm, harm to mental health, or other serious outcomes, and they are prosecuted by the CDPP independently of the OAIC's regulatory jurisdiction.

None of these criminal offences replace or duplicate section 66(1AA), which is uniquely focused on obstruction of the OAIC's regulatory process rather than substantive privacy harms. A single data breach may give rise to civil penalties under the Privacy Act (sections 13G/13H for APP breaches, section 26WK for NDB notification failures) and, separately, criminal prosecution under the doxxing offences or identification-information offences if the conduct meets the mental-element and harm thresholds of those offences — but only obstruction of the OAIC investigation itself will engage section 66(1AA).

Practical implications for corporate respondents

Entities subject to OAIC investigations should treat information notices (sections 44, 45, 68) as compulsory legal obligations with both civil and criminal enforcement backstops. Failure to respond promptly and comprehensively may result in:

1. Infringement notice (12–60 penalty units, depending on entity type) under section 80UB for a single failure;
2. Civil penalty proceedings (up to 300 penalty units per contravention) under section 66(1) for more serious or multiple isolated failures;
3. Criminal prosecution (up to 300 penalty units per offence, plus the stigma of a criminal conviction and potential adverse publicity) under section 66(1AA) where the conduct is systemic or patterned; or
4. Referral to CDPP for prosecution, with the associated reputational harm and costs of a contested criminal trial.

Where an entity has legitimate grounds to object to a notice — for example, claims of legal professional privilege, oppressive scope, or relevance — the proper course is to engage constructively with the OAIC and, if necessary, seek judicial review of the notice in the Federal Court rather than simply ignoring or evading the request. The OAIC's published policy states that cooperation with investigations is a material mitigating factor in penalty assessments (see section 80Z(g)), whereas obstruction or delay is an aggravating factor (section 80Z(f)).

As of June 2026, the criminal offence under section 66(1AA) remains untested in the courts, and there is no published case law interpreting "system of conduct or pattern of behaviour" in the Privacy Act context. Practitioners advising on exposure should apply by analogy the consumer-law and competition-law precedents that have interpreted similar language in the Australian Consumer Law and Competition and Consumer Act 2010, where courts have found that two or more contraventions over time, undertaken in similar circumstances or pursuant to a common policy or practice, may constitute a "course of conduct" attracting higher penalties.

Source: Privacy Act 1988 (Cth) — sections 6AA, 44, 45, 66, 68, 80U Source: OAIC Guide to Privacy Regulatory Action — Chapter 8: Infringement notices Source: Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth) Source: Crimes Act 1914 (Cth) — section 4AA (penalty unit value)