Australia to introduce world-leading privacy breach penalties

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Cth) (Bill) represents a significant change in the Federal Government’s approach to privacy breaches, and creates one of the harshest privacy penalties regimes in the developed world. 

These changes will commence after the Bill passes both houses of Parliament, and the Government has also flagged that further privacy reforms are coming.

The Federal Government has proposed to increase the maximum penalties under the Privacy Act 1988 (Cth) (Privacy Act) for serious or repeated interference with privacy by companies from A$2.22 million to the greater of:

• A$50 million;
  
  
• three times the value of the benefit obtained; or, if that can’t be determined
  
  
• 30% of the ‘adjusted turnover’ during the “breach turnover period”, which means 30% of company group revenue (less some specified adjustments) for the past 12 months or duration of the privacy breach (whichever is longer). 

The extent and significance of the increase in penalties is apparent when compared to other jurisdictions, for example:

• the General Data Protection Regulation (GDPR) of the European Union, which provides for administrative fines of up to €20 million (approximately A$31 million), or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever is higher, for serious infringement; and
  
  
• the Personal Information Protection Law of the People’s Republic of China, which provides for fines of up to RMB 50 million (approximately A$10.7 million) or 5% of the annual turnover of the preceding year for severe violations, in addition to fines imposed on individuals directly liable for the violation.

The Government’s proposed changes align privacy breach penalties with the proposed maximum penalties under the Competition and Consumer Act 2010 (Cth) and the Australian Consumer Law. For more information on these penalties, see our previous article.

While the Bill was introduced following a string recent data breaches, companies should note that these new penalties will apply to any serious or repeated interference with privacy (i.e. acts or practices that breach an Australian Privacy Principle (APP) (or a binding registered APP code) in relation to personal information about an individual and not just to data breaches (which may involve breaches of APPs such as a failure to take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure (as required by APP 11)).

Following these reforms, companies can expect the OAIC to have a strong appetite to apply to the Federal Court or Federal Circuit Court for these penalties. This will represent another major change in the enforcement of privacy breaches.

The Government also proposes to broaden the extraterritorial application of the Privacy Act to ensure that foreign organisations carrying on a business in Australia meet the obligations under the Privacy Act, even if they do not collect or hold Australians’ information directly from a source in Australia.

Additionally, the Government proposes to legislate new powers for the Australian Information Commissioner (Commissioner), including:

• the power to conduct assessments of an entity’s compliance with the Notifiable Data Breach (NDB) scheme set out in the Privacy Act and gather information for the purposes of conducting an assessment of any kind, including assessing an actual or suspected eligible data breach;
  
  
• strengthening the NDB scheme to ensure the Commissioner has comprehensive knowledge of the information compromised in an eligible data breach to assess the particular risk of harm to individuals;
  
  
• the power to make a determination that requires companies to engage independent and suitably qualified advisers to ensure that the conduct constituting an interference with privacy is not repeated or continued;
  
  
• the power to make a determination that requires companies to prepare and publish a statement about the conduct constituting an interference with privacy, including any steps undertaken by the company to ensure the conduct is not repeated or continued;
  
  
• new infringement notice powers to penalise entities for failing to provide information, answering a question or producing a document when required to do so (with associated additional civil penalty provisions) – the Bill also creates a separate criminal penalty if a company engages in conduct which constitutes a system of conduct or pattern of behaviour; and
  
  
• the capacity to share information, including personal information, with an enforcement body, alternative complaint body, and a State, Territory or foreign privacy regulator. The Bill also clarifies that the Commissioner is able to share information gathered through the Commissioner’s information commissioner functions, freedom of information functions and privacy functions.

What steps should companies take?

It is clear that companies must act to ensure that their privacy regimes and data security capabilities are up to date and appropriately reflect risk.

Overseas companies that do business in Australia but do not collect or store information directly from Australia should immediately begin an analysis of their ability to comply with Australian privacy law given the expanded extraterritorial application.

Companies ought to continue to take prudent steps, including:

• ensuring effective cyber security controls to account for a changing threat environment, technology developments and the organisation’s capabilities;
  
  
• engaging with insurance brokers about the changing risks;
  
  
• developing, implementing and updating comprehensive privacy compliance strategies, policies and procedures;
  
  
• ensuring that from the Board down, there are clear management, escalation and reporting policies that are well-understood and up to date;
   
• testing effectiveness of controls, and regularly holding test runs of the data breach response plan; and
  
  
• ensuring that third party risks are being managed, including through contractual controls, insurance requirements and indemnities.

***

The Government’s actions indicate a significant change in approach to privacy regulation. In addition to the introduction of world leading penalties, a comprehensive review of the Privacy Act is currently being conducted by the Attorney-General’s Department, which is expected to be completed by the end of this year. Further changes are on the way.