Insight,

Privacy Act enforcement powers to be boosted

AU | EN
Current site :    AU   |   EN
Australia
China
China Hong Kong SAR
Japan
Singapore
United States
Global

TL;DR

The Government has introduced legislation that will significantly increase maximum penalties under the Privacy Act.  Changes have also been proposed to make the Act easier to enforce against foreign organisations, including digital platforms that have no physical presence in Australia. If passed, the changes will facilitate greater information sharing between the OAIC and the ACMA on privacy-related enforcement actions, and to bolster other aspects of the OAIC’s enforcement powers.  These changes have been accelerated in response to recent major data breaches experienced by Optus, Medibank and others.  Further changes to underlying privacy compliance requirements will be introduced once the Government completes its long-running review of the Privacy Act, which is likely to be before the end of this year.

Further Details

The Government has today introduced legislation (the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022) that will significantly increase maximum penalties under the Privacy Act (in relation to conduct after the changes come into effect – the increases will not have retrospective effect).  As a result of the proposed changes, a serious or repeated breach of the Australian Privacy Principles could attract a maximum penalty of $2.5 million for individuals or for body corporates an amount equal to the greater of:

  • $50 million (a massive increase over the current maximum of $2.22 million);
  • three times the value of the benefits obtained from the breach; or
  • if the court cannot determine the total value of those benefits, 30% of adjusted turnover in Australia during the ‘breach turnover period’ (being the longer of 12 months prior to the breach or the period over which the breach occurred).

This development is entirely unsurprising, given that successive Governments have long promised to increase maximum penalties under the Act, and the proposed increases align with the increased penalties for breaches of competition and consumer laws that were proposed in September (see this previous KWM update for further detail on those changes).  Recent major data breaches experienced by large corporates such as Optus, Medibank and others, which have affected millions of Australians, put pressure on the Government to respond in a swift and decisive manner by accelerating the pace of privacy reforms.  Other privacy laws around the world, such as the GDPR in Europe, have for some years allowed for maximum penalties that dwarfed those available in Australia.  The increased penalties that the Government has now proposed would give Australian laws similar heft (though how such penalties would apply in the case of a major incident that may comprise potentially millions of separate contraventions is yet to be explored by Australian courts in the context of the Privacy Act).  Given the mood, we expect that this initiative will receive bipartisan support in Parliament.

In addition to increasing maximum penalties, the Government has also proposed to amend the extraterritorial application of the Privacy Act to foreign organisations by removing the last limb of the existing "Australian link" test.  If implemented, that change would mean that the Privacy Act would apply to acts done outside Australia by any foreign organisation as long as the organisation carries on business in Australia.  The Explanatory Memorandum explains that this is a response to the challenges in establishing that foreign organisations, particularly digital platforms that may not have a physical presence in Australia, collect information about Australians directly from Australia.  However, strictly speaking the change could mean that the Act will apply to information that an organisation collects outside Australia about individuals who are not even present in Australia, simply because the organisation also happens to carry on business in Australia.  This could be a significant and potentially unintended expansion of the scope of the Act.

Apart from these changes, the Government also proposes to:

  • allow the Information Commissioner to delegate the role of making determinations following a privacy investigation to senior staff members;
  • introduce new powers for the Information Commissioner to obtain information relating to actual or suspected data breaches, so that the Commissioner can properly assess the particular risks posed by such breaches;
  • introduce new powers for the Information Commissioner to share information with other enforcement bodies and to publish information if satisfied that it is in the public interest to do so – the Explanatory Memorandum indicates that this is specifically intended to facilitate better cooperation between the Commissioner and the ACMA and to enable the Commissioner to keep Australians informed about privacy issues;
  • allow the Information Commissioner in a privacy determination to require organisations to engage an independent adviser to review privacy acts or practices of the organisation and then report to the Commissioner and/or to publish a statement (in the manner specified by the Commissioner, acting reasonably) about a privacy breach and the steps being taken to ensure that it does not happen again; and
  • give the Information Commissioner power to issue infringement notices to persons who refuse to answer a question or produce a document when required under the Act. This replaces an existing criminal offence, with the stated aim being to make it easier for the Commissioner to enforce without having to resort to a criminal prosecution.  There will still be a separate criminal offence where a body corporate engages in systematic non-compliance with the Commissioner’s requests.

Unlike the increased penalties, a number of these changes apply in relation to existing investigations as well as information that the Information Commissioner has already obtained through the exercise of statutory powers, and so may have significant implications for ongoing and past regulatory processes.

This boost to the OAIC’s powers comes at a time when the OAIC is already actively seeking to bolster its enforcement capability.  This could spark a significant shift in approach for the OAIC and we anticipate that we may see more active and aggressive enforcement of the Privacy Act in coming months and years.  This would seem to align with public sentiment, as surveys show strong support from Australians for stricter privacy rules and harsher consequences for companies that fail to comply.

However, an under-appreciated fact is that the OAIC has only once before applied for a civil penalty order under the Privacy Act, in a proceeding that is still working its way through the courts.  Historically, the vast majority of privacy breaches have been addressed through other resolution mechanisms under the Act, without formal determinations being made or financial penalties or fines being sought or imposed.  The increased maximum penalties now proposed will remain only a theoretical deterrent unless the OAIC changes its prevailing approach to enforcement.

Another important thing to note is that the changes that the Government has introduced today do not actually change any underlying privacy compliance obligations.  As such, they do not of themselves impose any new or greater compliance burden on companies that manage personal information (except perhaps for those organisations that may be caught by the wider extraterritorial test).  From an operational and compliance perspective, more significant changes will come once the Government completes its long-running review of the Privacy Act, which is likely to be before the end of this year.  As foreshadowed in previous KWM alerts, these changes may include things such as enhanced transparency and consent obligations, new overarching obligations to ensure that personal information is used in a way that is “fair and reasonable”, requirements to undertake privacy impact assessments for initiatives that may present a high risk to privacy, and a range of new individual data subject rights, such as rights to object to the use of personal information and to require that information be erased (also commonly referred to as the “right to be forgotten”).  These changes, if enacted, will have a far more substantive impact from an operational perspective, and will require all organisations that deal with personal information to rethink their information management processes and procedures.

While personal information will remain a necessary and valuable resource for many organisations, it is clear that the compliance costs and risks associated with the management of that information are likely to increase in the future.  Although further reforms are still to come, it is never too early to start reviewing current compliance processes and make sure that your house is in order.

Please reach out to any of your KWM contacts if you would like to discuss these developments in greater detail.


Our experts, industry leaders, regulators and government explored key digital and cyber trends, regulatory insights and more at the KWM Digital Future Summit in November 2022. Read our takeaways or watch it on-demand here.

LATEST THINKING
Insight
Australia’s competitive banking landscape, prudential settings and the accelerating challenge (and cost) of technology uplift are tipped to drive further consolidation in the sector in the coming decade.

16 January 2025

Insight
The Australian Securities and Investments Commission (ASIC) has reissued Regulatory Guide 133 Funds management and Custodial Services: Holding assets (RG 133).

15 January 2025

Insight
The MYEFO just released by the Treasurer shows that an end to the surpluses the Government has enjoyed over the last two year is fast approaching, with slowing revenues and the promise of new policies such as the Build to Rent tax incentives announced in the last Budget beginning to bite.

19 December 2024