What are the new privacy obligations for Australian SMEs following the Meta settlement?

While the Meta settlement is specific to that case, it highlights the necessity for robust data governance. SMEs must ensure they have clear consent for data collection and strict oversight of third-party vendors to avoid similar liability under the Privacy Act.

How does the Notifiable Data Breaches (NDB) scheme affect small businesses?

The NDB scheme generally applies to businesses with an annual turnover of over $3 million, requiring them to report serious data breaches to the OAIC and affected individuals. However, smaller businesses trading in personal information also have compliance obligations.

Can a business be held liable if a customer falls for a payment redirection scam?

Potentially. If the scam resulted from a breach of the business's email security or a failure to secure customer data, the business may face liability for the loss and regulatory penalties for failing to protect personal information.

For Australian Businesses: Lessons from the Meta Settlement and Legal Advice for Data Breach Prevention

The recent conclusion of the long-running investigation into Meta Platforms regarding the Cambridge Analytica affair marks a significant moment in Australian privacy law. The Office of the Australian Information Commissioner (OAIC) has accepted an enforceable undertaking from Meta, resulting in a landmark settlement of $50m from Meta for Australian users. While the scale of Meta’s operations dwarfs the average Australian Small to Medium Enterprise (SME), the principles underpinning this settlement are universally applicable. It highlights the critical need for robust data governance and proactive legal advice for data breach prevention.

For commercial operators, this case moves privacy compliance from a technical “IT issue” to a boardroom priority. The risks associated with mishandling customer data (ranging from regulatory fines to reputational damage) are escalating. This article outlines the commercial lessons Australian SMEs must draw from this settlement, focusing on third-party risk management, scam prevention, and the evolving regulatory landscape.

The Shift in Regulatory Enforcement

The Meta settlement resolves seven years of litigation. It concerns the disclosure of Australian users’ personal information to a third-party app, “This Is Your Digital Life,” which subsequently shared data with Cambridge Analytica. The core legal issue was not a “hack” in the traditional sense, but a failure of governance regarding how third parties accessed and used data.

For Australian businesses, this distinction is vital. You do not need to suffer a sophisticated cyber-attack to be liable for a privacy breach. If your business shares client data with third-party marketing platforms, cloud storage providers, or AI tools without adequate consent and contractual protections, you may be exposing your entity to significant risk.

The regulatory appetite for enforcement is growing. As we have discussed previously regarding consumer law, big increases for breaches of consumer law on the cards suggest that regulators are increasingly willing to impose substantial financial penalties to deter non-compliance. The days of treating privacy policies as “tick-box” exercises are over.

Customer Data Protection Obligations

The foundation of the Meta case was the protection of user data. Australian SMEs must review their customer data protection obligations to ensure they align with the current Privacy Act 1988 (Cth) and anticipated reforms. The government’s response to the Privacy Act Review Report indicates that the exemption for small businesses (turnover under $3 million) may eventually be removed or modified, bringing thousands of smaller entities under the regulatory umbrella.

Data Minimisation and Purpose Limitation

A key takeaway is the principle of data minimisation. Commercial clients often collect more data than is operationally necessary, increasing their risk profile. If you hold sensitive data (e.g., driver’s licences, financial details) that you no longer need, you are holding a liability, not an asset.

Businesses should conduct a data audit to answer three questions:

What data are we collecting?
Do we have explicit consent for the specific way we are using it?
When do we delete it?

Third-Party Vendor Management

Just as Meta was scrutinised for the actions of a third-party app, SMEs are responsible for the vendors they engage. When you upload customer lists to a SaaS platform or share data with a marketing agency, you must ensure your contracts include specific indemnity clauses regarding data breaches. You cannot outsource your liability under the Privacy Act.

The Scam Ripple Effect: Payment Redirection Risks

Data breaches invariably lead to an increase in scams. The source announcement regarding the Meta settlement explicitly warns users about scammers posing as administrators of the payment scheme. This highlights a secondary risk for businesses: the weaponisation of your brand by criminals.

When a business suffers a data breach, the stolen information is often used to facilitate Business Email Compromise (BEC) and payment redirection scams. In these scenarios, criminals monitor email traffic and send fraudulent invoices from what appears to be a legitimate vendor address.

Payment Redirection Scam Recovery

Recovering funds lost to payment redirection scams is legally complex. If a client pays a fraudulent invoice because your email system was compromised, the client may argue that your negligence caused the loss. Conversely, if the client’s security was lax, the liability may sit with them.

From a governance perspective, businesses must implement:

Multi-Factor Authentication (MFA): Mandatory for all email and financial systems.
Verification Protocols: Standard operating procedures requiring verbal verification for any change in bank account details.
Cyber Insurance: Policies that specifically cover social engineering and funds transfer fraud, as general liability policies often exclude these events.

Government bodies continue to release data to assist in this area. For example, Treasury documents regarding Meta correspondence highlight ongoing efforts to educate Australian consumers and businesses on scam prevention. Engaging with these resources is part of a director’s duty of care.

Legal Advice for Data Breach Response

When a breach occurs, the speed and quality of the response determine the legal and commercial fallout. Under the Notifiable Data Breaches (NDB) scheme, eligible entities must notify the OAIC and affected individuals if a breach is likely to result in serious harm.

Determining “serious harm” and whether a breach is “eligible” requires immediate legal assessment. A common error SMEs make is attempting to “fix” the issue silently to avoid bad press. This can transform a manageable IT incident into a severe regulatory breach.

Effective incident response planning involves:

Pre-appointed Forensic IT: Knowing exactly who to call to secure the environment.
Legal Counsel: Engaging lawyers immediately to attract legal professional privilege over the investigation reports where possible.
Communication Strategy: Drafting templates for notifying clients that comply with legal requirements without admitting unnecessary liability.

Regulatory actions are not limited to the OAIC. As seen in other sectors, such as the ASIC enforcement action against Oak Capital, regulators are taking a holistic view of compliance. A failure in data governance can trigger investigations into broader director duties and licensing obligations.

Emerging Risks: AI Governance

The Cambridge Analytica scandal was, at its core, about profiling and algorithmic targeting. Today, this risk has evolved into Artificial Intelligence (AI) governance. SMEs are rapidly adopting AI tools for efficiency.

If your staff inputs confidential client data into a public AI model (like the free version of ChatGPT), that data may become part of the model’s training set, effectively disclosing it to a third party. This mirrors the data leakage issues seen in the Meta case but on a potentially larger scale.

Businesses require an Acceptable Use Policy for AI that dictates:

Which AI tools are authorised.
What categories of data are prohibited from being entered into AI prompts.
Human oversight requirements for AI-generated content or decisions.

Commercial Pragmatism

The settlement program, which allows eligible Australians to register for compensation, is a reminder that data liabilities have a long tail—this case is being settled a decade after the data was collected. As noted by academic sources, the question of “Were you on Facebook 10 years ago?” is now triggering a massive administrative process.

For an SME owner, a ten-year legal battle is an existential threat. The goal of legal governance is to prevent this exposure. By treating data as a high-risk asset, verifying third-party security, and preparing for the inevitability of scam attempts, businesses can insulate themselves from the worst impacts of the digital economy.

If you require assistance reviewing your privacy contracts, cyber insurance coverage, or incident response plans, please contact our commercial team at SLK Lawyers.

About Blaine HattieBlaine Hattie is a Principal in Commercial Transactions at Sutton Laurence King Lawyers. He advises businesses on transactions and finance with a special interest in technology, cybersecurity, digital media, defamation, and artificial intelligence.

Book an appointment with one of our Lawyers to discuss your specific needs.

Book a Consultation

A Note on the Information We Share

Reading this information does not create a lawyer-client relationship between you and SLK Lawyers. This only occurs with a formal written agreement. Content is current at publication and applies to Victorian law unless stated otherwise. It is general information only and not a substitute for specific legal advice. Strict time limits apply to legal claims. You should seek immediate legal advice on your specific situation to ensure your rights are protected.