Shifting public sentiment on privacy following several high-profile cyber-attacks has accelerated legislative changes, culminating in the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (the Act), the provisions of which have now commenced.
The most significant change is that companies now face penalties for serious or repeated interference with privacy equal to the greater of A$50 million or three times the value of the benefit obtained.
The OAIC now has broader regulatory powers with respect to requesting and sharing information, as well as powers to issue infringement notices for non-compliance with information requests. The requirement that entities collect or hold personal information in Australia has been removed, meaning that overseas entities which carry on business in Australia may be captured by the Privacy Act. Further substantive reforms to the Privacy Act are expected, following the Government's final report on consultations over the last two years.
Shifting public sentiment
The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 forms part of a long-running (and ongoing) review into the Privacy Act, which has seen the Attorney-General's Department receive submissions on both an Issues Paper in 2020 and Discussion Paper in 2021 on the topic. The amendments contained in the Act are the result of an expedited response to high-profile data breaches, including that suffered by Optus in September 2022, which affected millions of Australians. After passing both Houses of Parliament on 28 November 2022, the Act was assented to on 12 December 2022 and its provisions commenced on 13 December 2022. They are now in force.
New higher penalties
The Act significantly increases the maximum penalty for serious or repeated interference with the privacy of an individual:
|
Previous Penalty |
Amended Penalty |
|
|
Maximum civil penalty for companies |
A$2.2 million |
The greater of:
|
|
Maximum civil penalty for individuals |
A$444,000 |
A$2.5 million |
* 'Adjusted turnover' means the sum of the value of all supplies made by the entity in connection with Australia. The 'breach turnover period' begins at the start of the month in which the offence or contravention occurred or began occurring, and ends at the end of the month in which it ceased - subject to a minimum 'breach turnover period' of 12 months.
New enforcement powers
The Act expands regulatory powers available to the Office of the Australian Information Commissioner (OAIC), as well as the Australian Communications and Media Authority (ACMA).
The OAIC may now request information from an entity regarding its compliance with the Notifiable Data Breach (NDB) scheme or following an actual or suspected data breach of that entity. Where entities do engage in conduct which causes an interference with the privacy of an individual, the OAIC may now make determinations requiring relevant entities to prepare and publish more detailed statements, including a description of the conduct and the steps to be taken to ensure the conduct is not repeated or continued. The OAIC may now issue infringement notices for non-compliance with these requests for information.
The Amendment also enhances the ability of the OAIC and ACMA to share information with other enforcement bodies, including foreign data protection authorities, and also empowers the OAIC to publish certain information if it is in the public interest to do so.
Extraterritoriality
The Amendment removes a prior requirement for an entity to collect or hold personal information in Australia to have an Australian link. Now, any foreign entity carrying on a commercial activity in Australia will be captured by the Act.
Further reforms
The Act can be expected to be followed by a series of other reforms that have been the topic of the Attorney-General's Issues Paper and Discussion Paper in 2020 and 2021, respectively. While no reforms have been confirmed, the papers contemplate changes including:
- creating additional low and mid-tier offences for more minor
interferences with privacy, which will attract smaller civil
penalties and infringement notices than the 'serious and
repeated interference with privacy' civil penalty
provision;
- expanding the definition of 'personal information' to
include technical information and inferred personal information,
such as IP addresses;
- requiring personal information to be anonymised, rather than
simply de-identified, in order for obligations under the Privacy
Act to no longer apply to it;
- standardising templates for obtaining consent to collect
personal information for certain sectors, in the same way that food
nutrition labels are standardised;
- requiring pro-privacy settings for websites and applications to
be 'on' by default;
- reforming the employee record exemption;
- creating a right to erasure, which exists under other
jurisdictions' privacy regimes, including the General Data
Protection Regulation in the EU; and
- creating a direct right of action for individuals whose privacy has been interfered with.
Attorney-General Mark Dreyfus has stated that the Government aims to finalise the review into the Privacy Act, which would include the release of a final report on the matter, by the end of 2022.
Recommended actions
Companies, including entities carrying on business in Australia, should review their privacy regimes and data governance frameworks, including their data breach response plans, and ensure they are compliant with the Privacy Act given the higher penalties which now apply. This may include developing, implementing and updating privacy compliance procedures, testing effectiveness of data controls and ensuring that third party risks are being managed effectively.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
 |
 |
| Lawyers Weekly Law firm of the year
2021 |
Employer of Choice for Gender Equality
(WGEA) |
