New privacy law sees tougher penalties and enforcement powers for serious and repeated privacy breaches

3 minute read 30.11.2022 Sonja Read, Nadia El Moslemani

The Australian federal government has passed the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022.

Key takeouts

Following a short consultation period, the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 was passed on 28 November 2022, virtually without amendment.

The Bill comes in the wake of a string of data breaches, and are aimed at ensuring that the Australian Information Commissioner is equipped with the necessary enforcement tools to investigate the misuse of personal information.

These amendments signify the first tranche of the sweeping reform to Australian privacy law set to continue into 2023.

After a short consultation and review, the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) has been passed by the federal parliament in what will be only the first tranche in a series of sweeping reforms to Australia's privacy laws.

More detailed background on the Bill can be found in our previous article 'New privacy bill proposes tougher penalties and powers for serious privacy breaches'.

Following the introduction of the Bill to the Lower House, it was referred to the Senate Legal and Constitutional Affairs Legislation Committee (Committee) on 27 October 2022, for inquiry and report by 22 November 2022.

The Committee received submissions from a range of stakeholders, including the Australian Information Commissioner, privacy interests groups and the Law Council of Australia. Despite some criticisms of the Bill, including regarding the wholesale adoption of the Australian Consumer Law's penalty regime and the broader extra-territorial reach of the Bill, the Committee recommended that the Bill be passed subject to the following recommendations:

the Attorney-General’s Department, as part of its review of the Privacy Act 1988 (Cth) (Privacy Act), recommend amending section 13G of the Act to define the terms ‘serious interference’ and ‘repeated’ interference and that the Australian government implement such a recommendation; and
the Attorney-General’s Department, as part of its review of the Privacy Act, examine the appropriateness of section 5B providing for any additional ‘Australian link’.

Whilst some non-government Senators expressed concerns with the Bill, it was ultimately passed on 28 November 2022 on the proviso that the Committee's recommendations were adopted.

We have summarised the key amendments below.

Increased penalties

The Bill increases the penalty for serious or repeated interferences with privacy under section 13G of the Privacy Act:

for a person other than a body corporate, from $444,000 to $2.5 million; and
for a body corporate, from $2.22 million to an amount not exceeding the greater of $50 million, three times the value of the benefit obtained or, if the court cannot determine the value of the benefit, 30% of their adjusted turnover in the relevant period.

Enhanced enforcement powers

The Bill provides the Office of the Australian Information Commissioner with enhanced enforcement powers through a number of key mechanisms. This includes expanding the types of declarations that the Australian Information Commissioner (Commissioner) can make in a determination at the conclusion of an investigation.

To ensure Australia's privacy laws remain fit for purpose in a globalised world and to ensure the Privacy Act can be enforced against global technology companies who may process Australians' information on servers offshore, the Bill amends the extraterritorial jurisdiction of the Privacy Act. This will mean that, even if foreign organisations do not collect or hold Australians' information directly from a source in Australia, they must still meet the obligations under the Privacy Act so long as they 'carry on a business' in Australia.

The amendments will also provide the Commissioner with new powers to conduct assessments, and provide the Commissioner new infringement notice powers to penalise entities for failing to provide information or produce a document or record without the need to engage in protracted litigation. A separate criminal penalty has been created if a body corporate engages in conduct which constitutes a system of conduct or pattern of behaviour.

Strengthened Notifiable Data Breaches scheme

The Bill strengthens the existing Notifiable Data Breaches scheme by empowering the Commissioner to assess an entity's compliance with the scheme's requirements.

The Commissioner will have new information-gathering powers in regard to the scheme's reporting and notification requirements to provide the Commissioner with a comprehensive understanding of the information compromised in a breach, in order to assess the particular risks to individuals and take actions, such as issue a direction for the entity to notify individuals who have been affected by a data breach.

Enhanced information sharing

The Bill enhances the Commissioner’s ability to share information by:

clarifying that the Commissioner is able to share information gathered through the Commissioner’s information commissioner functions, freedom of information functions and privacy functions;
providing the Commissioner with the power to disclose information or documents with an enforcement body, an alternative complaint body, and a State, Territory or foreign privacy regulator for the purpose of the Commissioner or the receiving body exercising their powers, or performing their functions or duties; and
providing the Commissioner with the power to publish a determination or information relating to an assessment on the Commissioner’s website and disclose all other information acquired in the course of exercising powers or performing functions or duties if it is in the public interest.

The Bill will also amend the Australian Communications and Media Authority Act 2005 (Cth) to expand the Australian Communications and Media Authority’s ability to share information to non-corporate Commonwealth entities (defined in section 11 of the Public Governance, Performance and Accountability Act 2013 (Cth)) responsible for enforcing a Commonwealth law where the information will enable or assist the entity to perform or exercise any of its functions or powers.

By strengthening penalties, Australia will be signalling its expectations that businesses undertake robust privacy and security practices. In the wake of recent high profile data breaches, all organisations regulated by the Privacy Act should be turning their minds to their privacy compliance posture as a matter of urgency, to consider whether their policies and processes – and those of their key suppliers – are adequate.

MinterEllison provides full-service IT legal and consultancy services with extensive experience in privacy, data protection and software and IT service procurement. Please contact us if you would like assistance in managing your privacy compliance.