News

The OAIC generally will not comment publicly about the content of data breach notifications.

Where a particular incident is of community concern and has already been reported in the media, we may confirm publicly that we have received a notification or are investigating or making inquiries into the matter. We will generally not comment further until the investigation or our inquiries are complete.

We may also comment publicly on a matter where there is public interest in us doing so, for example, to enable members of the public to respond to a data breach.

There is no specific provision that provides for the OAIC to make available a list of names of organisations that notify data breaches. The NDB scheme does have specific provisions regarding how organisations must notify individuals at likely risk of serious harm from a data breach and the OAIC. Accordingly, the OAIC will not generally disclose a list of names of organisations that notify data breaches.

Some investigations can be finalised quickly, but some take longer because of the type of inquiries and the volume of material that needs to be reviewed. We aim to finalise all investigations as quickly as possible.

Where the Commissioner makes a determination, a decision will be published. If the Commissioner takes proceedings for civil penalties, the Commissioner will file a statement of claim.

There’s more information on Commissioner-initiated investigations, including our approach to publication, in our Guide to Privacy Regulatory Action.

Section 80U of the Privacy Act 1988 empowers the Commissioner to apply to the Federal Court or Federal Circuit Court for an order that an entity that is alleged to have contravened a civil penalty provision in that Act pay the Commonwealth a penalty.

Under section 13G of the Privacy Act the maximum penalty for serious interference with the privacy of an individual are:

• for a body corporate, the greatest of either:
  • $50 million; or
  • the value of any benefit the relevant court has determined that the body corporate, or any body corporate related to it, has obtained directly or indirectly that is reasonably attributable to the contravention, multiplied by three;
  • or if the court cannot determine the value of that benefit, 30% of the annual turnover of the body corporate during the 12-month period ending at the end of the month in which the contravention happened or began.
• for a person other than a body corporate, the maximum penalty amount is $2.5million.

The Federal Court or Federal Circuit Court ultimately determines the penalty awarded, taking into account matters including:

• the nature and extent of the contravention
• the nature and extent of any loss or damage suffered because of the contravention
• the circumstances in which the contravention took place
• whether the person has previously been found by a court to have engaged in any similar conduct.

Under the Privacy and Other Legislation Amendment Act 2024 (POLA Act), civil penalties may also be awarded for inferences with the privacy of an individual under section 13H of the Privacy Act. The maximum civil penalty the OAIC can seek in Court under this section is 2,000 penalty units ($660,000).

In addition, the OAIC has other regulatory enforcement powers available under section 13K of the Privacy Act, including to issue compliance notices and infringement notices in certain circumstances. This includes:

• Compliance notices which set out an alleged contravention and what an entity must do to address the contravention (or not repeat the contravention), within a set timeframe. If the entity does not comply with the notice, the OAIC may issue an infringement notice or commence civil penalty proceedings
• Infringement notices which set out an alleged contravention and that the entity can choose to pay the amount specified in the notice as an alternative to court proceedings.

If an entity does not comply with an infringement notice, the OAIC may commence court proceedings for the alleged contravention. The maximum amount of an infringement notice is 200 penalty units ($66,000).

There is more information on civil penalties, including provisions in other legislative frameworks, in our Guide to Privacy Regulatory Action.