Shifting public sentiment on privacy following several high-profile cyber-attacks has accelerated legislative changes, culminating in the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (the Act), the provisions of which have now commenced.
The most significant change is that companies now face penalties for serious or repeated interference with privacy equal to the greater of A$50 million or three times the value of the benefit obtained.
The OAIC now has broader regulatory powers with respect to requesting and sharing information, as well as powers to issue infringement notices for non-compliance with information requests. The requirement that entities collect or hold personal information in Australia has been removed, meaning that overseas entities which carry on business in Australia may be captured by the Privacy Act. Further substantive reforms to the Privacy Act are expected, following the Government’s final report on consultations over the last two years.
Shifting public sentiment
The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 forms part of a long-running (and ongoing) review into the Privacy Act, which has seen the Attorney-General’s Department receive submissions on both an Issues Paper in 2020 and Discussion Paper in 2021 on the topic. The amendments contained in the Act are the result of an expedited response to high-profile data breaches, including that suffered by Optus in September 2022, which affected millions of Australians. After passing both Houses of Parliament on 28 November 2022, the Act was assented to on 12 December 2022 and its provisions commenced on 13 December 2022. They are now in force.
New higher penalties
The Act significantly increases the maximum penalty for serious or repeated interference with the privacy of an individual:
Maximum civil penalty for companies
The greater of:
- A$50 million
- Three times the value of benefits obtained or attributable to the breach (if quantifiable)
- 30% of the corporation’s ‘adjusted turnover’ during the ‘breach turnover period’ (if the court cannot determine the value of benefit obtained)*
Maximum civil penalty for individuals
* ‘Adjusted turnover’ means the sum of the value of all supplies made by the entity in connection with Australia. The ‘breach turnover period’ begins at the start of the month in which the offence or contravention occurred or began occurring, and ends at the end of the month in which it ceased – subject to a minimum ‘breach turnover period’ of 12 months.
New enforcement powers
The Act expands regulatory powers available to the Office of the Australian Information Commissioner (OAIC), as well as the Australian Communications and Media Authority (ACMA).
The OAIC may now request information from an entity regarding its compliance with the Notifiable Data Breach (NDB) scheme or following an actual or suspected data breach of that entity. Where entities do engage in conduct which causes an interference with the privacy of an individual, the OAIC may now make determinations requiring relevant entities to prepare and publish more detailed statements, including a description of the conduct and the steps to be taken to ensure the conduct is not repeated or continued. The OAIC may now issue infringement notices for non-compliance with these requests for information.
The Amendment also enhances the ability of the OAIC and ACMA to share information with other enforcement bodies, including foreign data protection authorities, and also empowers the OAIC to publish certain information if it is in the public interest to do so.
The Amendment removes a prior requirement for an entity to collect or hold personal information in Australia to have an Australian link. Now, any foreign entity carrying on a commercial activity in Australia will be captured by the Act.
The Act can be expected to be followed by a series of other reforms that have been the topic of the Attorney-General’s Issues Paper and Discussion Paper in 2020 and 2021, respectively. While no reforms have been confirmed, the papers contemplate changes including:
- creating additional low and mid-tier offences for more minor interferences with privacy, which will attract smaller civil penalties and infringement notices than the ‘serious and repeated interference with privacy’ civil penalty provision;
- expanding the definition of ‘personal information’ to include technical information and inferred personal information, such as IP addresses;
- requiring personal information to be anonymised, rather than simply de-identified, in order for obligations under the Privacy Act to no longer apply to it;
- standardising templates for obtaining consent to collect personal information for certain sectors, in the same way that food nutrition labels are standardised;
- requiring pro-privacy settings for websites and applications to be ‘on’ by default;
- reforming the employee record exemption;
- creating a right to erasure, which exists under other jurisdictions’ privacy regimes, including the General Data Protection Regulation in the EU; and
- creating a direct right of action for individuals whose privacy has been interfered with.
Attorney-General Mark Dreyfus has stated that the Government aims to finalise the review into the Privacy Act, which would include the release of a final report on the matter, by the end of 2022.
Companies, including entities carrying on business in Australia, should review their privacy regimes and data governance frameworks, including their data breach response plans, and ensure they are compliant with the Privacy Act given the higher penalties which now apply. This may include developing, implementing and updating privacy compliance procedures, testing effectiveness of data controls and ensuring that third party risks are being managed effectively.
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.