University of Melbourne · S1 2026 · FACULTY OF LAW

LAWS70082 · Privacy Law

- one subject, every graph, every model, every mark
50% final exam · hurdle14 Chapters3-page Bible
Our own words - no uploaded lecturer files
Built to mirror S1 2026 · updated this semester
Chapter 6 of 7 · LAWS70082

Enforcement and Remedies

The Office of the Australian Information Commissioner (OAIC) regulates the Privacy Act 1988 (Cth). Once an APP is breached — an interference with privacy (s 13) — this chapter answers what the regulator can do and what an individual can recover. The enforcement ladder runs from a complaint (s 36) and conciliation, or a Commissioner-initiated investigation (CII), up to a determination (s 52) — which can declare the conduct an interference, order it stop, order compensation and an apology, and require changed practices — and on to civil penalties for serious or repeated interferences (s 13G, materially raised by the 2022 Enforcement Act, with tiered mid/low penalties added by the 2024 Act). Alongside it runs the Notifiable Data Breaches scheme (Part IIIC): on an eligible data breach an entity must assess and notify. Leading frontier determinations — Clearview, Uber — show the regime in action, with court actions (AIC v Facebook) and the class-action / Australian Consumer Law (ACL s 18) overlays. A citation discipline markers notice: cite OAIC determinations as AICmr determinations, never as court judgments.

In this chapter

What this chapter covers

  • 01Interference with privacy (s 13) — the gateway from a breach
  • 02Complaint (s 36) → conciliation; the Commissioner-initiated investigation (CII)
  • 03Determination (s 52): stop the conduct, compensation, apology, changed practices
  • 04Enforceable undertakings; civil penalties for serious/repeated (s 13G)
  • 05The 2022 Enforcement Act penalty rise; 2024 tiered penalties
  • 06The Notifiable Data Breaches scheme (Part IIIC): assess, notify
  • 07Frontier determinations: Clearview, Uber; court actions
  • 08Overlays: class actions and ACL s 18; citing AICmr not court
Worked example · free

Worked example: closing a problem with enforcement

Q [5 marks]. Having found that a company breached APP 6 and APP 11, and that 50,000 customers’ records were exposed in a hack, advise on the enforcement and notification consequences.
  • +1Characterise: each APP breach is an interference with privacy (s 13) — the gateway to the regulator’s powers.
  • +1Route it: an affected individual may complain (s 36) leading to conciliation, or the Commissioner may run a CII; either can lead to a determination (s 52) ordering the conduct stop, compensation and an apology, and changed practices.
  • +1Penalties: a security failure exposing 50,000 records may be a serious or repeated interference under s 13G, exposing the company to civil penalties in the Federal Court (raised by the 2022 Enforcement Act).
  • +1NDB scheme: a hack exposing personal information likely to cause serious harm is an eligible data breach (Part IIIC) — the company must assess and notify the OAIC and affected individuals.
  • +1Overlays: note the potential class action and the ACL s 18 (misleading-conduct) overlay if privacy representations were false.
The breaches are interferences (s 13) routed via complaint/CII to a s 52 determination (stop, compensate, apologise, change practices), with s 13G civil-penalty exposure for a serious interference, a mandatory NDB assess-and-notify obligation (Part IIIC), and class-action / ACL s 18 overlays.
Glossary

Key terms

Interference with privacy (s 13)
The gateway concept: an act or practice breaching an APP is an ‘interference with the privacy’ of an individual, which is what the OAIC’s enforcement powers act on. Every enforcement answer starts by naming the breach as an s 13 interference.
Determination (s 52)
The OAIC’s central remedial order: it can declare the conduct an interference, order it to stop, order redress or compensation and an apology, and require changed practices. Cite it as an AICmr determination, not a court judgment.
s 13G civil penalty
The serious-end sanction: for serious or repeated interferences the Commissioner can seek civil penalties in the Federal Court. The penalty was materially raised by the 2022 Enforcement Act, with tiered mid/low penalties added by the 2024 Act.
Notifiable Data Breaches scheme (Part IIIC)
The mandatory breach-notification regime: on an eligible data breach (unauthorised access/disclosure or loss likely to cause serious harm) an entity must assess and notify the OAIC and affected individuals.
Frontier determinations
Leading OAIC actions that show the regime’s reach — e.g. Clearview AI (scraping facial images) and Uber — cited as AICmr determinations. They illustrate extra-territorial operation (s 5B) and the security and collection principles in practice.
FAQ

Enforcement and Remedies FAQ

How do I cite an OAIC determination correctly?

As an AICmr determination (e.g. Commissioner Initiated Investigation into Clearview AI [2021] AICmr 54), never as a court judgment. It is a citation discipline markers specifically notice; getting the AICmr form right signals you understand the regulator is not a court.

What can an individual actually recover?

Through a s 52 determination: an order that the conduct stop, compensation (including for non-economic loss such as distress in appropriate cases), an apology, and changed practices. Civil penalties under s 13G go to the Commonwealth, not the individual; the individual’s recovery is the determination (and any class-action overlay).

When does the NDB scheme apply?

On an eligible data breach — unauthorised access to, disclosure of, or loss of personal information that a reasonable person would conclude is likely to result in serious harm. The entity must assess (usually within 30 days) and, if eligible, notify the OAIC and affected individuals (Part IIIC).

How does this chapter close a take-home problem?

It is the finish: having found APP breaches (Topic 5), you say what follows — each breach is an interference (s 13), route it via complaint/CII to a s 52 determination, test s 13G for serious/repeated, add the NDB obligation if data was breached, and note the class-action / ACL s 18 overlays. That structure earns the enforcement marks.

Study strategy

Exam move

Learn the enforcement ladder as a single chain — s 13 interference → complaint (s 36)/CII → s 52 determination → s 13G penalty — so you can recite it to close any problem. Keep the NDB scheme (Part IIIC) and its assess-and-notify trigger parallel, because data-breach facts need both the APP 11 analysis and the notification duty. Lock in the citation discipline: AICmr determinations, never court judgments, and keep Clearview and Uber ready as frontier illustrations. Remember the split between individual recovery (the determination) and public penalty (s 13G), and tag the class-action / ACL s 18 overlays for a complete answer.

A+Everything unlocked
Unlocks this Bible + all 29 of your University of Melbourne subjects - and 1,000+ Bibles across every Australian university.
Sia - your LAWS70082 tutor, unlimited, worked the way the exam marks it
The full 3-page Bible + practice bank with worked solutions
Chrome extension - sync your LMS so Sia knows your deadlines
Bilingual EN / Chinese on every Bible and every Sia answer
$25/ month
30-day money-back · cancel in one tap · how it works
Unlock the full LAWS70082 Bible + 29 University of Melbourne subjects解锁完整 LAWS70082 Bible + University of Melbourne 29 门科目
$25/mo