A Landmark Privacy Case That’s About to Reshape How Businesses Are Held Accountable

By now, you’ve probably seen the headlines: the Australian Information Commissioner has taken civil penalty action against Optus over their 2022 data breach.

This isn’t just about one big telco. It’s a landmark case that will set the tone for how privacy breaches are handled going forward. And here’s the part every business leader needs to know:

• The Privacy Commissioner will now be investigating more breaches in the future – and not just the high-profile ones.
• Lower-end civil penalties are non-negotiable – if the OAIC issues one, there’s no back-and-forth, no “let’s talk about it.” You pay it—end of story.
• Serious breaches can now result in eye-watering fines, calculated against your revenue or the benefit you received from the breach.

Why This Matters for You

Even if you’re not handling millions of customer records like Optus, the same laws apply. The Privacy Act and Notifiable Data Breaches Scheme are clear about your responsibilities. If you’re not meeting those obligations, you’re taking unnecessary risks—risks that are now more likely to result in penalties.

And let’s be real, doing the wrong thing, neglecting your clients’ and suppliers’ personal information, or hoping it’ll never happen, is no longer going to cut it. Businesses are going to get caught out. If it’s not the Privacy Commissioner, it could be ASIC, or it could be a lawsuit from those affected. The government will come after you and pursue the matter.

Doing nothing is not an option anymore.

Privacy Self Check - Can You Honestly Answer These Questions?

• If a customer asked to see all the personal data you hold on them, could you provide it, accurately, within 30 days?
• If you suffered a cyber incident tonight, do you know exactly who you would need to notify, and in what order?
• Do you have a record of every third party or supplier who has access to your customer data?
• Are you confident that every staff member understands their privacy obligations under Australian law?

If you can’t answer “yes” to all of these, and back it up with evidence, we need to talk.

The Upside of Getting This Right

The good news? Businesses that get ahead of this are in a strong position. Compliance builds trust, strengthens your reputation, and avoids costly legal battles. It also sends a strong message to your customers and partners that you take their privacy seriously.

Don't Take My Word For It... Hear More on This from the Experts

We actually unpacked this very topic on The Data Breach Playbook podcast with Jason from Mills Oakley, who’s one of the best legal minds in this space. Jason explains exactly what this case means for Australian businesses, and why the smart move is to act now, not when you’re in the OAIC’s spotlight.

Your Next Step

If you haven’t reviewed whether your business is adhering to the Privacy Act and the Notifiable Data Breaches Scheme, now is the time.

Let’s have a conversation about where you stand, what gaps might exist, and how to close them before they become a problem.

📅 Book a Privacy Compliance Review Call

I want to be clear - this isn't about fear. I am not about FUD. My passion lies in helping businesses prepare by taking the necessary steps to protect their customers and continue operating smoothly in the event of a data breach.

"By failing to prepare, you are preparing to fail - Ben Franklin"