On 26 October 2022, the Government introduced the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Cth) (Bill) into Parliament. The reforms proposed by the Bill are significant, and will undoubtedly renew focus on the importance of protecting personal information in the digital age.
The Bill will take effect the day after it receives Royal Assent. Although the new penalties will not apply retrospectively to breaches that occurred before the Bill becomes law, the Commissioner's expanded information gathering powers will apply regardless of when an incident may have taken place.
Renewed urgency to privacy reforms
The recent spate of cyber attacks and data breaches in Australia has given renewed urgency to the Australian Government’s reforms to the Privacy Act 1988 (Cth) (Privacy Act). The new Attorney-General, Mark Dreyfus KC, had already promised 'sweeping reforms' and a suite of proposals before the end of this year.
However, in light of a number of recent high profile data breaches, the government has sought to fast track some of those amendments by introducing the Bill.
In summary, the Bill:
- significantly increase the maximum penalties that can be applied under the Privacy Act for serious or repeated breaches;
- provides the Australian Information Commissioner with greater enforcement powers;
- provides the Commission and the Australian Communications and Media Authority (ACMA) with greater information sharing powers; and
- introduces other minor and procedural amendments to address current limitations in the Privacy Act.
Increase to penalties for serious or repeated breaches
The most significant reform introduced by the Bill is to increase maximum penalties that can be applied under the Privacy Act for serious or repeated privacy breaches. For entities other than a body corporate, the maximum penalty will be $2.5 million, and for body corporates the penalty will be the greater of:
- $50 million;
- three times the value of any benefit obtained through the misuse of the information; or
- 30 percent of a company's adjusted turnover in the relevant period.
The current maximum civil penalty for individuals is 2,000 penalty units, being $444,000 and 10,000 penalty units for bodies corporate, being $2.22 million, so this represents a very significant change. The government has commented in the wake of recent events that the current penalties are inadequate in light of community expectations.
No doubt this significant increase in potential sanctions will focus organisations on the Privacy Act. However, the requirement for a breach to be 'serious or repeated', and the procedural limitations in the Privacy Act, which require the Commissioner to institute proceedings in the Federal Court before a penalty can be imposed, will continue to impede the imposition of such penalties unless and until further amendments to the Privacy Act are made. The Commissioner has only ever issued one such proceeding - against Facebook in relation to the Cambridge Analytica matter – which is currently making its way through the Courts.
In addition, in the federal budget handed down this week, the Government has allocated $5.5 million to the Commissioner to specifically respond to the Optus data breach.
It is also significant that the Privacy Act (in its current form) does not apply to small businesses who have an annual turnover of $3 million or less (subject to some exceptions). These businesses will still fall outside the new penalty regime, further limiting its impact. However, the small business exemption is expected to be narrowed or entirely removed as part of the next tranche of privacy reforms.
Greater powers for the Australian Information Commissioner
The Bill will provide the Australian Information Commissioner with additional powers to address privacy breaches, by:
- expanding the types of declarations that the Commissioner can make in a determination at the conclusion of an investigation. For example, the Commissioner may make a declaration that a respondent to a complaint prepare and publish a statement about the conduct the subject of the privacy complaint. The statement may have to be provided to the complainant or published;
- amending the extra-territorial jurisdiction of the Privacy Act to ensure foreign organisations that carry on business in Australia must meet the obligations under the Act, even if they do not collect or hold Australians' information directly from sources in Australia. Currently, foreign organisations need only comply with the obligations under the Privacy Act if they have an ‘Australian link’. In today's digital era, foreign organisations can employ collection technologies such that they do not collect or store information ‘directly from sources in Australia’. This reform is likely a result of the Facebook Cambridge Analytica matter currently before the High Court, in which Facebook Inc is arguing Court that the requisite 'Australian link' is absent;
- providing the Commissioner with new information gathering powers for the purposes of conducting assessments of any kind and assessing actual or suspected eligible data breach. For example, the Commissioner will be able to require a person or entity to provide information, produce documents or answer the Commissioner's questions; and
- providing the Commissioner with new infringement notice powers to penalise entities for failing to provide information without the need to engage in protracted litigation. The intent here is to enable the Commissioner to resolve matters more efficiently.
Strengthen Notifiable Data Breaches Scheme
In relation to the Notifiable Data Breaches Scheme, the Bill will:
- empower the Commissioner to conduct an assessment of an entity's compliance with the NDB scheme. This will help ensure entities are meeting the scheme's reporting and notification requirements, which in turn will increase transparency and help individuals take steps to protect their privacy;
- ensure the Australian Information Commissioner has comprehensive knowledge and understanding of information compromised in a breach to assess the risk of harms to individuals; and
- require organisations who experience an eligible data breach to include in their breach notice the particular kinds of information impacted by the breach.
Information sharing powers
Finally, the Bill will equip the Australian Information Commission and the ACMA with greater information sharing powers. The Commissioner will be able to share information with enforcement bodies, alternative complaint bodies and State, Territory or foreign government authorities, for the purpose of exercising its own powers or for allowing the receiving body to exercise its powers or functions.
The Bill also expands the ACMA’s capacity to share information with any non-corporate Commonwealth entity responsible for enforcing a Commonwealth law, where the information will enable or assist the entity to perform or exercise any of its functions or powers.
Of particular note, the Commissioner will also have the power to disclose information acquired in the course of exercising its powers to the public, if the Commissioner is satisfied that it is in the public interest to do so.
In light of these proposed changes, all organisations should be turning their minds to their privacy compliance posture as a matter of urgency, to consider whether their policies and processes – and those of their key suppliers – are adequate.
This will also assist organisations in preparing for upcoming and far-reaching privacy reforms that will transform the way Australian organisations are required to protect and handle personal information.
MinterEllison provides full-service IT legal and consultancy services with extensive experience in privacy, data protection and software and IT service procurement. Please contact us if you would like assistance in managing your privacy compliance.