In the wake of a flurry of high profile data breaches in the local telecoms and healthcare sectors, the Australian Government announced on 22 October 2022 that it was moving quickly to increase financial penalties under the Privacy Act 1988 (Cth). Attorney General, the Hon. Mark Dreyfus MP, tabled the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Bill) on 26 October 2022.1
Significant Increase in Financial Penalties
The Privacy Act 1988 (Cth) (Privacy Act) applies to the handling of personal information by most Australian Government agencies and by private companies, excluding “small” businesses with annual turnover of less than AUD$3 million. Currently, the maximum civil penalty for “serious or repeated interferences with privacy” is AUD$2.22 million.2
Under the Bill, the maximum penalty for incorporated entities would be increased to the greater of:
- AUD$50 million
- Three times the value of any benefit obtained through the misuse of information; or
- 30% of a company’s adjusted turnover in the relevant period (i.e., the period of non-compliance with the Privacy Act).3
For unincorporated entities (including individuals, sole traders and partnerships), the penalty will increase from the current maximum of AUD$440,000 to AUD$2.5 million.4
These penalties would apply to any breach of the Privacy Act (including the Australian Privacy Principles) that constituted a “serious or repeated interference with privacy,” per s13G of the Privacy Act. This maximum penalty could apply to scenarios involving security incidents or data breaches and breach notification, but also to any other compliance violations — for example, issues relating to the handling of personal information, such as those relating to transparency, privacy governance, uses and disclosures of personal information, or over-retention of this type of sensitive data for a period beyond what is legally necessary.
The proposed penalties are similar in approach to those under GDPR in Europe, which is widely considered the strongest global privacy regime. GDPR includes fines of €20 million, or up to 4% of global revenue, whichever is the greater.5 To date, European regulators have issued fines in the tens and hundreds of millions of euros.6
If the Bill is passed, it would mean Australia would have some of the most severe financial penalties for data privacy violation in the world, with fines for large businesses potentially reaching hundreds of millions of dollars. This proposal is an evolution of an ongoing trend within the recently elected Australian Government of focusing on cybersecurity, data risk and the importance of building resilience against these risks to protect the Australian economy and the public.
Enhanced Enforcement Powers
The Bill also proposes amendments to the Australian Information Commissioner Act 2010 (AIC Act) to provide the Office of the Australian Information Commissioner (OAIC) enhanced enforcement powers. These include:
- expanding the types of declarations that the Commissioner can make in a determination at the conclusion of an investigation
- amending the extraterritorial jurisdiction of the Privacy Act to ensure foreign organisations that carry on a business in Australia must meet the obligations under the Act (even if they do not collect or hold Australians’ information directly from a source in Australia)providing the Commissioner with new powers to conduct assessments
- providing the Commissioner with new powers to conduct assessments
- providing the Commissioner new infringement notice powers to penalise entities for failing to provide information without the need to go to court to seek a civil penalty order; and
- strengthening the Notifiable Data Breaches scheme to ensure the Commissioner has comprehensive knowledge of the information compromised in an eligible data breach, to enable them to better assess the risk of harm to individuals.7
The Bill also proposes expanded and clarified information gathering and information sharing powers. This is seemingly in response to some recent high profile Australian data breaches in which the Information Commissioner and the Attorney General have had to actively seek out or demand information about the extent and severity of data breaches from breached entities. It is intended to ensure the Government and the Information Commissioner are better equipped to provide information about data breaches to affected individuals.
Specifically, the Bill will enhance the Information Commissioner’s ability to share information by:
- clarifying the Commissioner can share information gathered through the Commissioner’s Information Commissioner functions, Freedom of Information functions and Privacy functions
- providing the Commissioner with the power to disclose information or documents to an enforcement body, an alternative complaint body, and a State, Territory, or foreign privacy regulator for the purpose of the Commissioner or the receiving body exercising their powers, or performing their functions or duties; and
- providing the Commissioner with the power to publish a determination or information relating to an assessment on the Commissioner’s website; and disclose all other information acquired while exercising powers or performing functions or duties if it is in the public interest.8
The Bill also proposes to amend the Australian Communications and Media Authority (ACMA) Act 2005 to expand the ACMA’s ability to share information with other Australian Government agencies to assist in the enforcement of Commonwealth laws.9
Noting the ACMA and the OAIC have recently launched a joint investigation into a recent data breach, it appears the Government is laying the groundwork for greater interagency cooperation on privacy regulation.
What’s Next
The Australian Government is also continuing its review of the Privacy Act, which has been in progress since December 2019. A report on the consultation on the Review of the Privacy Act 1988 – Discussion paper is due before the end of the year. The amendments are expected to be far reaching — proposals currently under consideration include elimination of existing exemptions, broader powers to issue penalty notices, expansion of the definition of personal information and the introduction of a statutory tort of privacy. Draft legislation will likely be introduced next year.
FTI Technology’s global Information Governance, Privacy & Security experts recommend that businesses that handle personal information and operate in Australia, or that collect personal information from Australia, are proactive in reviewing and mitigating their privacy risks. In the changing privacy risk landscape, developing defensible approaches to personal information management, and designing toward privacy best practice, will continue to be critical issues for the boardroom.
1: Parliament of Australia, Bills and Legislation – Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022
2: Privacy Act 1998 (Cth) S13G where “penalty unit” is defined by the Crimes Act 1914 (Cth) S4AA.
3: Parliament of Australia, Bills and Legislation – Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, Schedule 1 – Amendments, part 14
4: Ibid.
5: What are the GDPR fines? https://gdpr.eu/fines/
6: GDPR Fines & Data Breach Penalties, https://www.gdpreu.org/gdpr-compliance/fines-and-penalties/
7: Parliament of Australia, Bills and Legislation – Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, Schedule 1 – Amendments, part 18
8: Parliament of Australia, Bills and Legislation – Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, Schedule 1 – Amendments, part 20
9: Parliament of Australia, Bills and Legislation – Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, Schedule 1 – Amendments, part 40