Welcome to the thirteenth edition of our quarterly Digital Governance, Cyber and Privacy newsletter.

This quarter explores the growing complexity of privacy compliance and cyber risk management. Updates to the Australian Privacy Principles reflect legislative changes under the Privacy and Other Legislation Amendment Act 2024 (Cth), while landmark enforcement actions signal a new era of accountability for data protection.

Regulators have issued the first civil penalty judgment under the Privacy Act, initiated proceedings against major telecommunications providers and ruled on the unlawful use of facial recognition technology in retail. These developments highlight the importance of robust privacy governance and proactive risk management.

Globally, the pace of enforcement remains high. Authorities have imposed significant fines for data breaches, released new guidance on ransomware resilience and addressed emerging risks such as insider threats and AI-driven technologies. Organisations are facing increased pressure to manage digital risk effectively, as the EU Data Act comes into force and cyber-attacks continue to disrupt global supply chains.

Here is your roundup of relevant news from around the world:

OAIC updates chapter 1, 8 and 11 guidelines

The Australian Privacy Principles (APP) guidelines outline the mandatory requirements of the APPs, how the OAIC interpret the APPs and matters we may take into account when exercising our functions and powers under the Privacy Act 1988. The guidelines have been updated to reflect the changes to the APPs as a consequence of the Privacy and Other Legislation Amendment Act 2024 (Cth).

Findings against Vinomofo Pty Ltd (Privacy) [2025] AICmr 175

Vinomofo, an online wine wholesaler, suffered a data breach that led to unauthorised access to customers’ personal information. The OAIC investigated whether the respondent complied with APP 11.1 of the Privacy Act, which requires reasonable steps to protect personal information from misuse, interference, loss and unauthorised access or disclosure.

The OAIC determined that the respondent’s actions were not reasonable under the circumstances to safeguard the personal information it held.

First penalties judgment

The Federal Court has handed down a landmark decision under the Privacy Act 1988 (Cth), ordering Australian Clinical Labs (ACL) Limited to pay $5.8 million in penalties following a major data breach. This marks the first civil penalty ever awarded under the Privacy Act and signals a new era of enforcement for privacy compliance.

Next civil penalties case?

The OAIC has initiated civil penalty proceedings against Singtel Optus Pty Limited and Optus Systems Pty Limited after a major data breach exposed the personal information of approximately 9.5 million Australians, with some data released on the dark web. The OAIC alleges that Optus failed to take reasonable steps to protect this information, inadequately managing cybersecurity risks.

Use of AI facial recognition in retail unlawful

The OAIC found that Kmart Australia Limited breached Australians’ privacy by using facial recognition technology (FRT) in its stores without notifying or obtaining consent from customers, collecting sensitive biometric information indiscriminately.

The Commissioner concluded that Kmart’s use of FRT to prevent refund fraud was disproportionate, as less intrusive methods were available and the privacy impact on thousands of individuals outweighed the limited benefits.

This determination, along with a similar case involving Bunnings Group Limited, highlights that while safety and fraud prevention are legitimate concerns, they do not override compliance with the Privacy Act, and organisations must carefully consider privacy risks when deploying new technologies.

New social media restrictions for under-16s

The Australian Government has introduced landmark measures to safeguard young people online. From 10 December 2025, social media platforms will be required to take reasonable steps to ensure that Australians under 16 cannot create or maintain an account.

Federal Government unveils National AI Plan

The Federal Government has unveiled its National AI Plan, setting a new direction for investment in data infrastructure and workforce capability. The strategy moves away from the previous approach of introducing mandatory guardrails focused on mitigating AI risks. Instead, the National AI Plan outlines how the Australian Government intends to drive growth in the domestic AI sector and position Australia as a competitive, efficient and resilient AI-enabled economy.

Annual ASD Cyber Threat Report released

The report finds Australia faces increasing cyber threats from both state-sponsored and criminal actors, with significant rises in reported incidents, financial losses and malicious activity targeting critical infrastructure and businesses.  

Ex-ASD employee accused of selling secrets to Russia 

An Australian man, Peter Williams, formerly associated with the Australian Signals Directorate (ASD), is accused by US prosecutors of selling trade secrets to a Russian buyer for nearly $2 million while working for a US defence contractor.

Details about the specific trade secrets are not disclosed, but US authorities have seized Williams's assets, and both Australian and US agencies are aware of the case, with ASD declining to comment on individual involvement.

Capita fined £14m in UK for date breach

The UK's Information Commissioner's Office fined outsourcing firm Capita £14 million after a cyber-attack exposed the personal data of 6.6 million people, citing failures in data security and risk management. The breach, which affected hundreds of pension schemes and led to sensitive information circulating on the dark web, was initially set to result in a £45 million fine but was reduced after Capita demonstrated improvements in cybersecurity and support for victims. 

Beer shortage in Japan?

Asahi suffered a cyber-attack causing a systems failure that disrupted its shipping and customer service operations in Japan, though no personal data leaks have been confirmed and European operations remain unaffected. The company is investigating the incident and working to restore operations.

Jaguar cyber-attack

A five-week cyber-attack forced Jaguar Land Rover to halt all production, causing UK car manufacturing to drop by over 27% in September. The attack, estimated to cost £1.9bn and affect 5,000 businesses, is considered the most economically damaging cyber event in UK history, with full recovery not expected until January 2026.

UK issues supply chain guidance for ransomware

This guidance is to help organisations build resilience into their supply chains, reducing the likelihood and impact of ransomware incidents. It’s issued by the Counter Ransomware Initiative, an international partnership for collective defence against ransomware.

UK Judgment on “non-material damage” under Art 82, UK GDPR

The Court of Appeal held that the High Court was wrong to strike out the data protection claims solely because there was no proof of disclosure, finding that an infringement of the GDPR can occur without actual disclosure of data.   

EU Data Act is now in force (from 12 September 2025)

An EU law designed to boost the data economy by making industrial and other data more accessible and usable, the Data Act clarifies who can use what data and under which conditions. It gives users of connected products greater control over the data they generate, sets rules for mandatory data sharing between businesses.

*Note: for some publications, you may require a current subscription to read the full article.