Lessons From the Courtroom: What the Bunnings and Australian Clinical Labs Cases Mean for Your Business

Knowledge is Power, Documentation is Protection

Two recent decisions have reshaped how Australian businesses should think about privacy risk. One involved a hardware retailer and facial recognition cameras. The other involved a $5.8 million penalty following a pathology data breach. Both have become essential reading for any privacy lawyer and they should be essential reading for you as a business owner too.

Together, they deliver a clear message: it is not enough to believe your practices are lawful. You have to be able to prove you assessed the risks before you acted. That is where a structured privacy audit and a documented privacy impact assessment become your most important assets.

Case 1: Bunnings and the Facial Recognition Decision

In 2025, the Australian Information Commissioner found that Bunnings had breached the Privacy Act by deploying facial recognition technology in its stores. The technology was used to identify individuals flagged as threats to staff.

Here is the part that should concern every business owner contemplating new technology: the Administrative Review Tribunal ultimately found that the use of the technology itself may have been permissible under the law. Bunnings still lost.

Why did Bunnings lose? Because they had not conducted a privacy impact assessment before rolling out the technology. They had not properly considered whether the collection was proportionate, whether less privacy-invasive alternatives existed, or whether the individuals whose biometric data was being captured had adequate notice.

The practical lesson for business owners: any time you introduce a new technology, process or system that involves collecting personal information, particularly sensitive information like biometrics, health data or financial details, you need to conduct a privacy impact assessment beforehand. Not as an afterthought. Before you go live.

What Is a Privacy Impact Assessment?

A privacy impact assessment (PIA) is a structured process for identifying and managing privacy risks before implementing a new project, system or process. For businesses and organisations across Australia, it is rapidly becoming a standard part of responsible governance and a key tool any experienced privacy lawyer will recommend before significant data initiatives are launched.

A privacy impact assessment asks:

• What personal information will we collect?

• Is the collection necessary and proportionate to the purpose?

• What are the privacy risks to the individuals whose data we are collecting?

• How can we reduce or eliminate those risks?

• Are we meeting our obligations under the Privacy Act 1988 (Cth)?

A privacy impact assessment does not have to be an enormous document. For lower-risk initiatives, it can be a focused, practical exercise completed in a few hours. For high-risk initiatives, deploying biometric technology, building a customer data platform, entering a new market, it should be thorough, legally reviewed, and carefully documented. The key thing is that it happens, and that it is recorded.

Important: A privacy impact assessment is not just good practice — it is your evidence of due diligence if a regulator investigates. Bunnings could not produce one. That was decisive.

Case 2: Australian Information Commissioner v Australian Clinical Labs

In early 2025, the Federal Court imposed a $5.8 million penalty on Australian Clinical Labs (ACL) arising from a 2022 breach of Medlab Pathology's systems. The breach exposed the personal and health information of nearly 230,000 people.

Here is what makes this case particularly instructive: ACL acquired Medlab Pathology only a few months before the breach. The breach occurred in systems ACL had inherited through the acquisition. A thorough privacy audit of Medlab's systems prior to completion would very likely have identified the vulnerability, and potentially avoided the breach altogether, or at minimum, significantly reduced the penalty.

ACL faced penalties in part because, after discovering suspicious activity, it failed to act with sufficient urgency to contain the breach and notify affected individuals. The delay and inadequate response compounded the original failure.

When you buy a business, you buy its privacy liabilities. Due diligence that doesn't include a privacy audit is incomplete diligence.

The Lessons for M&A and Business Growth

The ACL case is a cautionary tale for any business that grows through acquisition. Privacy risk does not disappear at settlement. You inherit it. This is a point we raise in every M&A matter we are involved in because most buyers do not appreciate the extent of privacy liability they can inherit.

Before completing any acquisition, a targeted privacy audit of the target business should answer:

• What personal information does the target hold, and how much of it?

• Has the target experienced any prior data breaches?

• Is the target subject to any ongoing OAIC investigations or complaints?

• Do the target's data governance practices meet the required standard?

• What remediation is required to bring inherited systems up to compliance?

These are not just legal hygiene issues. As ACL discovered, they are financial exposure issues that can dwarf the cost of the acquisition itself.

The Broader Pattern: Regulators Are Rewarding Proactivity

Look across recent Australian privacy and cyber security decisions and a clear pattern emerges. Regulators and courts are not just penalising bad outcomes. They are penalising the failure to assess and manage risk proactively — and they are measuring that proactivity against documented evidence.

In ASIC v FIIG Securities, the Federal Court imposed significant penalties for cybersecurity failures and expressly noted that the cost of appropriate risk management would have been far lower than the penalties imposed. The Court estimated the penalties were at least three times higher than what proper controls would have cost. The same logic applies to privacy: a privacy audit or privacy impact assessment conducted beforehand is almost always cheaper than the regulatory response afterwards.

The message is consistent: investing in proactive risk assessment is not just good governance. It is financially rational.

What You Should Do Now

Based on these decisions, here are the practical steps every business owner and board should consider with the guidance of an experienced privacy lawyer:

1. Implement a privacy impact assessment process for any new technology, system or data-heavy project. Document it before you go live, not after.

2. Commission a privacy audit of your current operations to understand your baseline risk and identify gaps before a regulator does.

3. Review your incident response plan. Do you know what you would do, and how quickly, if a breach occurred tonight?

4. Add privacy due diligence (including a targeted privacy audit) to your M&A checklist, before you sign, not after.

5. Check your acquisition contracts, do they include warranties about the target's data governance practices and breach history?

6. Document your decision-making at every stage. Regulators give meaningful credit for demonstrable, good faith compliance efforts.

Getting the Right Advice

The decisions in both the Bunnings and ACL matters are a reminder that privacy law is now a strategic business issue, not a back-office compliance function. The organisations that navigate it best are those with access to experienced privacy lawyers who can translate legal obligations into practical governance frameworks: privacy impact assessments that actually get used, privacy audits that identify real risk, and contracts that genuinely protect the business.

If you are based in Melbourne or operating across Australia and want to understand what these decisions mean for your specific situation – whether you are deploying new technology, growing through acquisition, or simply wanting to understand your current exposure – a conversation with a privacy lawyer is the right starting point.

Privacy law is not a game of chance. It rewards organisations that can show structured, considered, documented governance, and it penalises those who act first and think about the consequences later.

Need help? Enigma Law is a privacy law firm based in Melbourne, advising Australian businesses on privacy compliance, privacy audits, privacy impact assessments and regulatory response. Contact jon@enigmalaw.com.au to discuss your situation.