As a business that handles information, it is essential you are aware of the proposed amendments to Australian privacy laws. Following some high-profile data breaches in large Australian corporations, the federal government has announced several legislative changes to safeguard and strengthen Australian privacy laws. If passed, significant financial penalties would apply for serious and repeated data breaches.
This article outlines the proposed amendments, their implications, and their impact on businesses' rights and their existing suite of privacy documents.
What Are the New Privacy Law Amendments?
The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Bill) proposes to significantly increase the penalties for serious or repeated interference with the privacy of an individual. A snapshot of the proposed penalty changes is set out in the table below:
|Current Penalties||Proposed Penalties|
|Individuals, Sole Traders and Partnerships||$440,000||$2.5 million|
|Body Corporate||$2.22 million||$50 million for a body corporateOR, three times the value of any benefit obtained through the misuse of informationOR, 30% of a company's adjusted turnover in the relevant period. (i.e. period of non-compliance with the Privacy Act)|
If the Bill is passed, these penalties would apply to any breach of the Privacy Act and the Australian Privacy Principles that constitute a serious or repeated breach of privacy.
In addition to the increased penalties, the Office of the Australian Information Commissioner (OAIC) will gain greater enforcement and information-sharing powers.
What Are the OAIC Powers?
The Bill seeks to increase the enforcement powers available to the OAIC, which would allow it to:
- conduct assessments of an entity's compliance with the notifiable data breach scheme;
- gather information to conduct an assessment of any kind and assess an actual or suspected eligible data breach;
- issue an infringement notice for a failure to give information, answer a question or produce a document or record when required to do so; and
- compel entities to take specified steps to improve their practices to reduce the risk of continued or repeated privacy breaches.
Under the Bill, entities that fail to comply with an OAIC infringement notice without a reasonable excuse face increased penalties as follows:
- in respect of individuals, 60 penalty units; and
- in respect of companies, 300 penalty units.
Based on the current penalty unit value, this leads to a maximum civil penalty of $13,320 for individuals and $66,600 for companies.
Information Sharing Powers
The Bill further provides the OAIC with new information-sharing powers. Notably, if the Bill passes, the OAIC will have express power to publish a final determination following a privacy investigation, as well as information about a final assessment report, on its publicly accessible website.
In addition, the OAIC can share information with:
- enforcement bodies;
- alternative complaint bodies; and
- a State/Territory or foreign privacy regulator.
The OAIC may share information with these authorities so the authority, or the OAIC, can perform its functions or duties.
For example, the OAIC can share information with the eSafety Commissioner on matters relating to online safety. This enhanced power intends to ensure any enforcement bodies receiving information from the OAIC can perform their role with greater efficiency and efficacy.
Additionally, the OAIC's information-sharing powers will be subject to several limitations to ensure they are reasonable, necessary and proportionate. For instance, the OAIC must be satisfied on reasonable grounds that the receiving authority has satisfactory arrangements for maintaining the security of the information or documents.
The Bill will also amend the Australian Communications and Media Authority Act 2005 (ACMA Act) to expand the ACMA's ability to share information with any non-corporate Commonwealth entity responsible for enforcing a Commonwealth law where the information will enable or assist the entity to perform or exercise any of its functions or powers.
The privacy law updates seek to reflect the fact that multinational corporations collect and hold personal data in the cloud. Currently, the Privacy Act applies to entities operating outside Australia if they have an 'Australian link'. An Australian link, for the purposes of the Privacy Act, exists if:
- the entity was formed in Australia or has its central management and control in Australia; or
- the organisation carries on business in Australia; and
- the personal information was collected or held by the organisation in Australia, either before or at the time of the act.
The Bill proposes to amend the Act's extraterritoriality provisions by removing the requirement that the personal information was collected or held by the organisation in Australia (either before or at the time of the act).
This amendment means that, even if a foreign organisation does not collect an individual's information directly from an Australian source, it must still comply with the obligations under the Privacy Act if it 'carries on a business' in Australia.
This enables the Privacy Act obligations to be enforced against global technology companies that process an Australian's information offshore.
In summary, the Bill proposes to:
- increase maximum penalties for serious or repeated privacy breaches;
- increase the sharing and investigatory powers of the OAIC; and
- penalise entities for failing to provide information concerning an OAIC investigation.
The Government's apparent intention with these proposed legislative amendments, is to motivate companies to have strong cyber and data security safeguards in place to protect the privacy of Australians. Additionally, it serves to remind individuals and businesses of the importance of their consumers' privacy rights online. The Bill is subject to further discussion and amendment. Furthermore, the Privacy Act Review discussion paper will be published toward the end of 2022.