Tell me in a minute
The Australian Government is seeking to implement reforms to the Privacy Act 1988 (Cth) (Privacy Act). One key focus area of the reforms in the Privacy and Other Legislation Amendment Bill 2024 (the Bill) is the enhanced enforcement powers of the Australian Information Commissioner (Information Commissioner).
The key features of the Bill from an enforcement perspective are:
- the removal of ‘repeated’ interference from the current civil penalty provision in section 13G, and instead confirming that any ‘repetition’ of interference is a factor relevant to determining whether an interference is ‘serious’, along with a new non-exhaustive list of other factors
- expansion of the civil penalty and enforcements provisions, by including penalty provisions for ‘non-serious’ and certain ‘administrative’ breaches, which will likely lead to an increase in regulatory action especially considering the Information Commissioner’s indications that they will be more active in enforcing the Privacy Act[1]
- a new pathway for individuals to apply directly to court for compensation where they allege to have suffered loss or damage as a result of an entity contravening any civil penalty provision (other than those relating to credit reporting, where a similar regime already applies) where a Court has determined or will determine that an entity has contravened a civil penalty provision. This likely provides a new platform for class actions, notwithstanding that the Bill does not include a direct right of action for breach of the APPs as had previously been foreshadowed; and
- a new framework permitting the Information Commissioner to conduct public inquiries, which may increase the complexity of investigations including with respect to the protection of confidential and highly sensitive information (including security information which could lead to cyber attacks).
Overview
In our series of alerts on the Bill so far, we have summarised the history of the Bill and the key elements of the proposed reforms and done deep dives into the key substantive elements of those reforms and also into the proposed new statutory tort for serious invasions of privacy.
In this latest instalment, we explore the theme of enforcement in depth and explain how changes to the civil penalty and enforcement provisions may influence how businesses collect, store, and disclose personal information, as well as the impact these changes may have on the Information Commissioner’s scope and appetite for bringing civil penalty proceedings in the courts.
Change to the definition ‘serious interference’ under section 13G
Under the current section 13G of the Privacy Act, an entity contravenes a civil penalty provision if it does an act, or engages in a practice, that is either a ‘serious’ or ‘repeated’ interference with the privacy of one or more individuals. There has been no judicial consideration of section 13G or the concepts of ‘serious’ or ‘repeated’ to date.
Submissions on the Privacy Act reform proposals widely endorsed clarification of section 13G:
- emphasising the need for greater clarity on the extent to which the repetition of contravening conduct would constitute a serious interference, including a suggestion that repetition should be a factor in determining whether an interference is serious, but it should not be a determinative factor. For example, some submissions maintained that a breach affecting a large number of people should not automatically be treated as ‘serious’ where the impact on each individual was not significant;
- supporting clarification of section 13G but suggesting that detailed guidance from the OAIC on what constitutes “serious interference” would be more appropriate than including specific factors in the Privacy Act. For example, some argued that guidance would be more flexible and could more easily be adapted to respond to emerging technologies, while others argued that hardwiring particular considerations into the Act may reduce prevent consideration of broader contextual factors.
Ultimately, the Bill proposes to update section 13G to:
- remove ‘repeated’ interference as a separate limb, so that section 13G can now only be engaged where an interference with privacy is ‘serious’; and
- set out a non-exhaustive list of matters a court may have regard to in determining whether an interference with privacy is ‘serious’, as follows:
- the particular kind of information involved;
- the sensitivity of the information;
- the consequences, or potential consequences, of the interference for the individual;
- the number of individuals affected;
- whether the affected individual is a child or person experiencing vulnerability;
- consolidating the previous ‘repeated’ limb, whether the interference was done repeatedly or continuously;
- whether the entity failed to take steps to comply with their obligation in relation to privacy in a way that contributed to the interference with privacy;
- any other relevant matter.
While the list provides some guidance on what is relevant to assessing the ‘seriousness’ of an interference, it is not overly prescriptive, which may still lead to some uncertainty in practice. For instance:
- the list indicates that the “kind of information involved” and the “consequences” of the interference will be relevant, but provides no guidance on what kinds of information or consequences will weigh in favour of a finding of seriousness, and
- submissions from business indicated that clarification of section 13G would assist in identifying which activities may lead to a serious interference, allowing resource allocation to focus on minimising such interferences, but the list of factors in section 13G(1B) provides little guidance.
We anticipate that further guidance will be provided by the Information Commissioner as to how she proposes to approach each of the identified factors. This will go some way to providing organisations with a clear understanding of how the law will be enforced while maintaining flexibility to update the approach as technologies and community expectations change.
The broad nature of the list will leave scope for a court to consider any relevant contextual matters when determining whether or not a particular interference should be regarded as being sufficiently “serious” to engage section 13G. Importantly, it is clear that no one factor is determinative. For example, while the number of individuals affected has been identified as a relevant factor, an interference will not automatically be treated as being “serious” simply because of the number of people involved. Interestingly, the list of factors in the Bill suggest that a breach arising from a single course of conduct that affects a large number of individuals is more likely to be characterised as a single serious “interference” with privacy rather than as a series of separate serious interferences. This is reflected in the Bill’s new civil penalty provision (section 13K) for more minor administrative breaches of the Privacy Act. The Note to section 13K(1) clarifies that if an APP entity’s conduct contravenes one or more of ‘administrative’ civil penalty provisions in section 13K, it would be open to the Information Commissioner to find that a more serious breach has occurred under sections 13H or 13G.[2] Sections 13H and 13K are discussed in greater detail below.
These changes to section 13G and the addition of section 13K may significantly affect the way that civil penalty claims are framed in future. For example, under the current Act (albeit under the old penalty regime), the Information Commissioner has alleged that a failure by Australian Clinical Labs to implement appropriate information security safeguards (in breach of APP 11.1) represented a “serious” interference with the privacy of each of the 21.5 million individuals who were affected by a cyberattack on ACL.[3] In effect, the Commissioner argues that there were 21.5 million separate contraventions under section 13G. A similar allegation is made in the Information Commissioner’s proceeding against Medibank. Australian Clinical Labs and Medibank are both resisting the Information Commissioner’s contention that separate contraventions arise for each individual whose information was allegedly held by the entity.
Tiered civil penalty regime
The Bill will establish a new three-tier civil penalty regime, broadening the types of breaches which could attract civil penalties under the Privacy Act as set out in the table below:
The three tiers of penalty under the new regime are set out below.
Office of the Australian Information Commissioner, Corporate Plan 2024-25.
EM [181].
https://www.oaic.gov.au/__data/assets/pdf_file/0017/112526/AIC-v-Australian-Clinical-Labs-Limited-concise-statement.pdf
The value of a penalty unit is indexed periodically based on the formula in section 4AA of the Crimes Act 1914. For breaches of law on or after 1 July 2024, one penalty unit is valued at $330. The maximum penalty for bodies corporate is five times the amount specified for a person (see subsection 82(5) of the Regulatory Powers Act).
EM [84].
An administrative breach for a non-compliant eligible data-breach statement under section 26WK(3) will apply to both the statement provided to the Commissioner and any statement provided to individuals to whom the relevant information relates. This is due to the operation of section 26WL (statements provided to individuals), which requires APP entities to notify individuals of the contents of any section 26WK(3) statement (provided to the Information Commissioner) in respect of an eligible data breach.
EM [179].
Regulatory Powers Act, s 82(5)(a).
Click to expand
Infringement notices
The Bill will also introduce a new process for enforcing the ‘administrative’ civil penalty contraventions that fall within section 13K. Under the new process, the Information Commissioner will have the power to issue infringement notices for breaches of section 13K. Currently, the power to issue infringement notices only exists in relation to section 66(1) for failure to give information.[9]
Infringement notices are a mechanism similar to a fine, designed for lower-level breaches to allow for prompt resolution as an alternative to court proceedings. Any Infringement notice issued in relation to a breach under section 13K will state the amount of any civil penalty, but pursuant to stion 13K(4), the penalty must not exceed 200 penalty units (currently $66,000).[10] The respondent entity will have the option to pay that amount or contest the issue in court. Payment of the notice will not be treated as an admission or finding of guilt or liability. Importantly, an infringement notice must be issued within 12 months of the relevant contravention, so it will provide an incentive for the Commissioner to move swiftly in any investigation as otherwise this enforcement option will be off the table. In its report on the Bill (tabled on 14 November 2024), the Senate Committee Legal and Constitutional Affairs Legislation Committee recommended that the Bill be amended to empower the Information Commissioner to issue a discretionary notice to an entity to remedy an alleged breach of section 13K before issuing an infringement notice.[11] Enacting this amendment would be consistent with the OAIC’s stated approach to “minor or inadvertent contraventions” of the Privacy Act. As set out in its Guide to Privacy Regulatory Action, the OAIC states that it is “unlikely to seek a civil penalty order for minor or inadvertent contraventions, where the entity or person responsible for the contravention has cooperated with the investigation and taken steps to avoid future contraventions.”[12]
We still expect that the new tiered civil penalty regime will encourage greater enforcement action from the Information Commissioner, especially in relation to more minor, administrative breaches of the Act (which are not actionable under the present regime) including by the issuing of infringement notices.
Quantum of pecuniary penalties
As noted above, the Bill does not provide any additional guidance for courts in determining the quantum of a pecuniary penalty. Courts will therefore apply ordinary principles, pursuant to which a court must take all relevant matters into account, noting that the primary purpose of a civil penalty is deterrence, including:
- the nature and extent of the contravention;
- the nature and extent of any loss or damage suffered because of the contravention;
- the circumstances in which the contravention took place; and
- whether the person has previously been found by a court to have engaged in any similar conduct.[13]
Given any pecuniary penalty set by the Information Commissioner in an infringement notice is subject to consideration of the court under section 82(6), the Commissioner is also likely to take the above factors into account in deciding the quantum of any penalty.
Public inquiries
As well as adding to her enforcement arsenal, the Bill will also give the Information Commissioner new inquisitorial powers.
A new section 33E will permit the Minister to direct the Information Commissioner to conduct a public inquiry into specified matters relating to privacy. For example, the Minister may direct the Commissioner to examine the processes that APP entities have in place to ensure the appropriate handling of personal information within a specific sector or industry identified to have heightened privacy risks or vulnerabilities.[14]
Conduct of the public inquiry
A public inquiry under section 33E will be distinct from any investigation under section 40 or a preliminary inquiry under section 42. It will be enlivened at the Minister’s discretion and would not need to relate to a particular incident or suspected interference with privacy. Rather, the public inquiry under section 33E may focus on a particular practice or a particular type of personal information. Section 33E(3) will also allow the Minister to specify one or more APP entities that are to be subject to the inquiry.
The Bill will permit the Information Commissioner to invite submissions on the subject of the public inquiry.[15] Like the investigatory powers under section 42, the Information Commissioner will not be bound by the rules of evidence in conducting a public inquiry.[16]
Notably, the Commissioner’s power to obtain information or documents and examine witnesses under sections 44 and 45 of the Privacy Act will apply equally to the conduct of public inquiries under section 33E.[17] This may well create challenges relating to the protection of confidential and sensitive information, including sensitive information that—if disclosed publicly—may present security risks.
Reporting on the public inquiry
Unless the Minister directs otherwise, the Information Commissioner must publish its report following the public inquiry.[18] If the Minister specified any APP entities to be subject to the Inquiry, the Commissioner must also provide the report to those entities on the same day the report is given to the Minister.[19]
The Bill makes no provision to allow an APP entity to object to the publication of the report. The Commissioner will be prohibited from making any findings or recommendations that a specific act or practice is an interference with the privacy of an individual.[20] However, any information published in the report may help individuals either bolster a complaint to the Information Commissioner under section 36 of the Privacy Act or support a claim under the new statutory tort established under Schedule 2 of the Bill.
The Information Commissioner has discretion to exclude matters from the report,[21] which provides entities the subject of any inquiry with scope to negotiate for the exclusion of commercially sensitive information. However, noting that the Information Commissioner will balance any exclusions in the report with the desirability of ensuring that the public is sufficiently informed.[22]
The public inquiry power will give the Information Commissioner (on direction or approval of the Minister) scope to consider more novel cases of privacy interference as they emerge with advances in data analytics technology. Such public inquiries may also increase public interest in, and scrutiny of, particular industry practices.
Investigations under the Regulatory Powers Act
Division 1AC of the Bill will apply the investigation powers in Part 3 of the Regulatory Powers Act to offence and civil penalty provisions in the Privacy Act. The application of Part 3 of the Regulatory Powers Act has the effect of expanding the Commissioner’s existing entry and inspection powers under section 68 of the Privacy Act.
Additional powers under Part 3 of the Regulatory Powers Act, which will now apply under the Privacy Act are set out in the table below.
Privacy Act, s 80UB(1).
Regulatory Powers Act, 104(1)(f).
Legal and Constitutional Affairs Legislation Committee, ‘Privacy and Other Legislation Amendment Bill 2024 [Provisions] (14 November 2024) [2.384].
OAIC, ‘Guide to Privacy Regulatory Action’, [7.22].
Regulatory Powers Act, s 82(6).
EM [205].
Bill, s 33F.
Bill, s 33G.
Bill, s33H.
Bill, s 33J
Bill, s 33J(2).
Bill, s 33J.
Bill, s 33J(4)(b).
EM, 224.
Regulatory Powers (Standard Provisions) Act 2014, s 49.
New powers of the Court to make other orders including compensation (s 80UA)
Part 9 of the Bill inserts a new section 80UA which expands the Federal Court’s powers to make compensation and other orders in proceedings for breach of a civil penalty proceeding.
This is a new power with potentially significant consequences for privacy litigation as it may open a new avenue for class action litigants.
When is the power enlivened?
The power to make such orders is enlivened where:
- a civil penalty proceeding is on foot, or has been determined by the Court; and
- the Court has determined, or will determine, that the respondent entity has contravened a civil penalty provision of the Privacy Act (other than a breach of Part IIIA in relation to credit reporting – in respect of which there is already a power for this type of application),
and is not affected by whether or not the Court has made, or will make, a penalty order consequent upon on a finding of a contravention of the particular provision.
Currently, this avenue for individuals is only open in the narrow circumstances of breaches relating to credit reporting in Part IIIA of the Privacy Act – which has never been used.
current POSITION
|
FUTURE POSITION
|
Example
uses 2
|
Two circumstances where individuals can make an application to the Court for compensation:
Privacy Act, s 55A(1). Privacy Act, s 25(2). Bill, s 80UA(4). |
The Bill will add to individuals’ existing rights under the Privacy Act by permitting an individual to bring an application for a court order under section 80UA(2) if:
Privacy Act, s 55A(1). Privacy Act, s 25(2). Bill, s 80UA(4). |
Privacy Act, s 55A(1). Privacy Act, s 25(2). Bill, s 80UA(4). |
What orders is the Court empowered to make?
Section 80UA(2)(b) empowers the Court to make orders including directing the respondent entity to “pay damages to any individual by way of compensation for any loss or damage suffered, or likely to be suffered, by any individual as a result of the contravention”.
This new power would alter the existing position under the Privacy Act by allowing individuals to go straight to the Court and apply for compensation following (or potentially even during) a civil penalty proceeding commenced by the Information Commissioner. Currently, the Court is only empowered to make orders for compensation for interferences with privacy in limited circumstances, under:
- section 55A, following the determination of a complaint by the Information Commissioner, which the complainant(s) or Information Commissioner seeks to enforce in the Court; or
- section 25, following a civil penalty order for breach of a civil penalty provision in Part IIIA (in relation to credit reporting only).
In addition to orders for compensation, section 80UA provides a non-exhaustive list of other orders the Court may make:
- an order directing the entity to perform any reasonable act, or carry out any reasonable course of conduct, to redress the loss or damage suffered, or likely to be suffered, by any individual as a result of the contravention;
- an order directing the entity to engage, or not to engage, in any act or practice to avoid repeating or continuing the contravention; and
- an order directing the entity to publish, or otherwise communicate, a statement about the contravention.
Who can apply for the orders?
Section 80UA(4) makes clear that the Court may make such orders:
- on its own initiative, during the civil penalty proceedings; or
- on application by the Information Commissioner, or an individual who has suffered, or is likely to suffer, loss or damage as a result of the contravention, made within 6 years of the contravention.
The effect of this subsection is to create a new right for individuals to “piggy-back” off civil penalty proceedings brought by the Information Commissioner and bring a separate application for compensation for privacy breaches.
This would allow individuals to apply for compensation from the Court without first making a complaint to the Information Commissioner or the Information Commissioner making any determination - and gives such applicants 6 years from the date of contravention to make that application.
Section 80UA is not the same as a direct right of action for breach of privacy, as it would still require civil penalty proceedings to be brought by the Information Commissioner as a prerequisite. However, the new pathway may be a significant development which materially expands the direct access for individuals to the Court for compensation for interferences with privacy. Combined with the broadening of civil penalties to non-serious and administrative interferences with privacy (discussed above), the potential range of privacy breaches which could lead to civil penalty proceedings, and then to applications for compensation under section 80UA, is broad and no doubt plaintiff class action law firms and litigation funders will closely monitor any penalties issued by the Commissioner to assess whether it could support a following claim for compensation.
What will be the impact of this new avenue to compensation?
It is unclear how the new section 80UA would operate in practice, and whether it would in fact lead to an uptick in privacy litigation. To date, civil penalty proceedings for breaches of the Privacy Act have been rare, and limited to high-profile, large-scale data breaches (e.g., Australian Clinical Labs and Medibank). However, the proposed changes to the enforcement provisions of the Privacy Act may lead to more civil penalty proceedings being commenced by the Information Commissioner and therefore may lead to an increase in claims for compensation under section 80UA.
The are some other potential issues with section 80UA that will need to be grappled with:
- First, it is unclear whether proceedings under section 80UA brought by an individual need to be brought as part of existing civil penalty proceedings, or whether one could commence fresh, separate proceedings.
On the one hand, subsection 80UA states that the Court may make an order “in the [civil penalty] proceedings” – suggesting orders must be part of the same civil penalty proceeding.
On the other hand, subsection 80UA(4) specifies that the Court may only make an order on its own initiative “during the [civil penalty] proceedings before the Court”, but does not use those words when providing for applications brought by the Information Commissioner, or an impacted individual — where the only limitation is that an application be made within 6 years of the contravention.
- Second, it is unclear at what point the power to apply for orders under section 80UA is enlivened. Subsection 80UA(1) gives the Court the power to make the orders if the Court “has determined, or will determine, … that an entity has contravened a civil penalty proceeding”. There is no guidance as to when it could be said that a Court “will”, but has not yet, determined a civil penalty breach. In theory, this could allow individuals to apply for compensation after the Court has determined liability, but before orders are made on relief including penalties.
- Third, it is unclear whether the power to order compensation for loss and damage extends to compensation for hurt feelings and humiliation. Section 25 of the current Privacy Act, which contains a similar power for compensation orders expressly states, “including injury to the person’s feelings or humiliation”, while the new section 80UA only refers to “loss or damage”.
Despite these uncertainties, there is at least some prospect that section 80UA may open a new avenue for class action law firms to bring group proceedings for breaches of privacy—particularly following large scale and high-profile data breaches that lead to civil penalty proceedings.
Unlike in the current landscape, where class actions (relying on novel claims for indirect breaches of the Privacy Act) have typically been filed and run concurrently with civil penalty proceedings, section 80UA may encourage class action law firms to wait until civil penalty proceedings have been commenced and determined (at least the liability stage), before commencing. In those circumstances, liability for a civil pecuniary penalty would have been determined, and the only question for the Court to determine would be compensatory loss and damage.
Further, section 80UA has some retrospective effect, in that section 60 of the Bill specifies that orders under section 80UA can be made as long as the relevant civil penalty proceedings were commenced after the commencement of the new provision—regardless of when the actual contravention occurred. This would have the effect of extending the new avenue to compensation to data breaches that occurred before the Bill takes effect, where no statutory tort for invasion of privacy existed.
The impact of section 80UA will be a fascinating to watch in coming years.
Be prepared and get your data house in order with our insights on Australia's privacy reforms.