I think they can only be held liable under some EU law(s), e.g. fined if they are found by EU regulators to have breached the GDPR.
I don't know of any Australian law that prevents them from sharing data with Visa AU - but I'm no legal expert.
It's still a mystery why they preferred sharing data and potentially breaching EU regulations to refusing to provide the data to ASIC.