Big data, big responsibility. New penalties for serious breaches

Privacy Act amendment is the first step to bring Australia in line with global privacy standards

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Amendment Bill) was introduced to Parliament on 26 October 2022. The Amendment Bill seeks to make three significant changes to the Privacy Act 1988 (Cth) (Privacy Act):

• increase penalties for serious or repeated interferences with privacy
• strengthen the Office of the Australian Information Commissioner’s (OAIC) enforcement powers, and
• enhance the OAIC and Australian Communications and Media Authority’s (ACMA) information sharing arrangements.

Here we will unpack these changes, discuss what it means for APP entities and make some suggestions about what you can do now to prepare for these changes.

The changes in detail and what they mean

Penalties that pack a punch

There has been a lot of discussion in the media in recent weeks about whether the current penalty provisions in the Privacy Act are enough to incentivise compliance – particularly in the case of large multinational organisations that collect and handle large amounts of personal information in order to carry out their business activities.

The Amendment Bill proposes a substantial increase in penalties for serious or repeated interferences with privacy. 

Currently, the maximum penalty for a serious and repeated interference with the privacy of an individual is $2.22 million for APP entities (organisations and agencies of the Commonwealth) and $444,000 for other entities regulated by the Privacy Act.

The new penalties for a serious or substantial breach are whichever is the greater of:

• $50 million
• three times the value of any benefit obtained through the misuse of information, or
• 30% of a company’s adjusted turnover in the relevant period.

For individuals, the maximum penalty will be increased to $2.5 million.

These increased fines will bring Australia more in line with global standards, most notably the General Data Protection Regulation (GDPR) where penalties for serious violations of privacy can be up to the greater of €20,000,000 or 4% of global turnover of the entity for the previous fiscal year.

In terms of how the new penalty regime will work:

1. the penalties apply to a “serious” or “repeated” interference with the privacy of an individual.  Based on the OAIC’s guidance, a “serious” breach is where the breach is likely to have a serious impact on an individual’s privacy – this will require careful consideration of the type of personal information (and any sensitive information) affected by the breach and the amount of personal information accessed on a case-by-case basis to determine if the breach is “serious”, and
2. as is currently the case, the penalties can be imposed by the Federal Court on an application by the OAIC.

Stronger enforcement powers

The Amendment Bill will enhance the OAIC’s enforcement powers, including by:

• expanding the types of declarations that the Information Commissioner can make in a determination at the conclusion of an investigation
• amending the extraterritorial jurisdiction of the Privacy Act to ensure foreign organisations that carry on a business in Australia must meet the obligations under the Privacy Act, even if they do not collect or hold Australians’ information directly from a source in Australia
• providing the Information Commissioner with new powers to conduct assessments
• providing the Information Commissioner new infringement notice powers to penalise entities for failing to provide information without the need to engage in protracted litigation, and
• strengthening the Notifiable Data Breaches Scheme (NDB Scheme) to ensure the Information Commissioner has comprehensive knowledge of the information compromised in an eligible data breach to assess the particular risk of harm to individuals.

These are significant changes.  For organisations and Commonwealth agencies, practically these changes will mean:

1. You will be required to provide more detail about the types of personal information affected by a breach when you notify the OAIC under the NDB Scheme.  The amendment will ensure the OAIC has a comprehensive picture of the personal information affected by the breach so the OAIC can better assess whether the steps you have taken to mitigate the breach are sufficient early in the notification process.
2. If a breach is found to have occurred following an OAIC investigation, the OAIC will have the power to require additional action be taken, including:
   1. a requirement that you publish detailed information about the breach (which may also be published on the OAIC’s website), and
   2. a requirement that you engage a suitably qualified independent adviser to review your organisations practices and steps required to ensure compliance and share the report with the OAIC.
3. The OAIC will have a broad power to compel the production of documents if the Information Commissioner has reason to believe there has been an actual or suspected data breach.  The OAIC can also require records in relation to your entity’s compliance with the NBD Scheme, which means you may receive a notice from the OAIC without having first notified of a NDB.
4. Failure to comply with a notice is now a civil offence and you may be issued with an infringement notice by the OAIC – the penalty is $66,600 (and $13,320 for individuals).  Repeat failure to comply carries a greater financial penalty and, in serious and repeated cases, may amount to criminal conduct and be referred to the Commonwealth Director of Public Prosecution.
5. For multinational organisations, the requirement to have an “Australian link” has changed, meaning if you operate your business activities in Australia, you will be subject to the Privacy Act even if collect and store personal information about Australians in a server offshore.

Information Sharing

The Amendment Bill will enhance the Information Commissioner’s ability to share information by:

• clarifying the Information Commissioner’s ability to share information across the Information Commissioner’s  functions
• authorising the Information Commissioner to disclose information or documents to other regulators and enforcement bodies, and
• authorising the Information Commissioner to publish determinations and other information relating to data breaches if it is in the public interest.  This is a significant change and will authorise the OAIC to disclose information about a breach, which is likely to be commercially sensitive to organisations.

The Amendment Bill will also make changes to the Australian Communications and Media Authority Act 2005 (Cth) (ACMA Act) by expanding ACMA’s ability to share information with the OAIC.

In respect to the OAIC’s ability to disclose information about a data breach where it is in the public interest to do so, this amendment will give the Information Commissioner a new power to publish information about data breaches and any other matters the Information Commissioner acquires in the performance of her functions under the Privacy Act. 

There are a range of issues the Information Commissioner must have regard to when assessing whether publication is in the public interest, including:

• the rights and interests of any complainant or respondent
• whether the disclosure will, or is likely to, prejudice any investigation or enforcement activity, and
• whether the publication will disclose personal information or confidential commercial information.

These are only considerations, not exclusions. Accordingly, there is no guarantee that, for example, confidential commercial information will not be published by the Information Commissioner if it is determined publication is in the public interest.

What can you do now?

The Amendment Bill is just the first step in what is likely to be substantial amendments to the Privacy Act which will follow the Attorney General’s Department’s comprehensive review of the Privacy Act (see more information here:  Review of the Privacy Act 1988 | Attorney-General's Department (ag.gov.au))

So, what can you do now to prepare for these changes? 

Here are our five top tips for Privacy Act compliance:

1. Audit:  map your personal information holdings to ensure you fully understand what personal information you currently collect, use, disclose and hold.  Understanding your personal information landscape is vital to complying with the Privacy Act.
2. Downsize:  critically assess whether you have a continued need to hold on to personal information.  Information that is a ‘nice to have’ but not a ‘need to have’ should be securely destroyed – of course, make sure you continune to retain records where you are required to do so by law (for example, under the Archives Act 1983 (Cth)).
3. Update:  review and update your privacy policy, collection notices and consent forms. These documents are crucial for compliance with the Privacy Act.  These documents need to be kept are up to date and clearly set out how personal information is collected and handled, how personal information can be updated and how to contact you.
4. Secure:  review and update your current security measures. This includes physical and digital security. Ensure your security policies are current and relevant for your business and ensure all staff credentials are up to date and secure.
5. Promote:  embed a privacy culture at every level of your organisation by giving your team the tools they need – give your staff targeted privacy training and resources.

Please reach out the Chantal Tipene for more information about how your organisation or agency can comply with the Privacy Act and the significant changes that are coming to Australia’s privacy laws.