Changes to Australias Privacy Act Web Image

Changes to Australia’s Privacy Act bolster enforcement and investigative powers

05 December 2024

On 29 November 2024, the Privacy and Other Legislation Amendment Bill 2024 (Bill) passed both Houses of Parliament in what has been described as the first tranche of much-needed updates to Australia’s privacy laws in the digital age.

Notably, the changes expand enforcement and investigative powers and introduce new tiered penalty provisions, which significantly increase the ability to investigate and penalise companies that mismanage personal information. These changes will come into force once the Bill receives Royal assent.

Australian Privacy Act: the road to now

Under the current Privacy Act 1988 (Cth) (Privacy Act), the Office of the Australian Information Commissioner (OAIC) is empowered to, amongst other things, investigate interferences with privacy and commence civil penalty proceedings following investigations.

In February 2023, the Attorney-General published a Privacy Act Review Report which proposed:

an expansion of the enforcement mechanisms available to the OAIC, including the introduction of a tiered approach to civil penalties and infringement notices;
enhancement of the OAIC’s investigative powers to include investigations of civil penalty provisions;
empowerment of the Commissioner to undertake public inquiries and reviews into specified matters on the approval or direction of the Attorney-General; and
an exploration of the feasibility of industry funding models to ensure that the OAIC is adequately resourced to carry out its regulatory functions.

In September 2023, the Federal Government published its Response to the Privacy Act Review which agreed with the introduction of tiered civil penalty provisions and an increase to the OAIC’s enforcement powers. The Government also agreed in-principle that the OAIC’s resourcing requirements be the subject of further work, including investigating the feasibility of an industry funding model and the establishment of a contingency litigation fund for costs orders against the OAIC.

The Privacy and Other Legislation Amendment Bill 2024 articulates how the Federal Government will implement some of these agreed changes following stakeholder engagement and impact analysis processes.

Key enforcement and investigation takeaways

While data breaches involving Australians’ personal information have become increasingly prevalent in recent years, the OAIC has only commenced a handful of civil penalty proceedings under the Privacy Act (including against Australian Clinical Labs Limited). The introduction of revised penalties for interferences with privacy and breaches of the Australian Privacy Principles are likely to increase the level of regulator action.

Amongst other areas, at a high level, the Bill:

increases the range of civil penalties available for interferences with privacy;
empowers the OAIC to use revised investigation and monitoring powers to improve successful regulatory outcomes;
empowers the Information Commissioner to conduct public inquiries into matters relating to privacy on the direction or approval of the Minister;
empowers the OAIC to make determinations following investigations; and
expands the powers of the federal courts to make orders in civil penalty proceedings beyond pecuniary penalties.

Penalties for interference with privacy

Under the current legislation, the Information Commissioner can only seek civil penalties for ‘serious and repeated’ interferences with privacy.

Part 8 of the Bill amends the Privacy Act to:

revise the civil penalty for ‘serious and repeated’ interferences to ‘serious’ interferences with privacy;
clarify the standards by which the threshold for a ‘serious’ interference with privacy is met;
introduce a civil penalty for interferences with privacy which are not serious; and
introduce new civil penalty provisions for breaches of specific privacy obligations.

In determining whether an interference with privacy is serious, a court may have regard to any of the following matters:

the particular kind or kinds of information involved in the interference with privacy;
the sensitivity of the personal information of the individual;
the consequences, or potential consequences, of the interference with privacy for the individual;
the number of individuals affected by the interference with privacy;
whether the individual affected by the interference with privacy is a child or person experiencing vulnerability;
whether the act was done, or the practice engaged in, repeatedly or continuously;
whether the contravening entity failed to take steps to implement practices, procedures and systems to comply with their obligations in relation to privacy in a way that contributed to the interference with privacy; and/or
any other relevant matter.

For example, a serious interference with privacy could arise where a company improperly holds sensitive personal information (e.g. for no reasonable purpose or without sufficient protection). Serious interferences with privacy will attract up to the maximum penalties contained in section 13G of the Privacy Act. The degree of application of these penalties will reflect the severity and seriousness of the interference. Please see tables below for more details.

Breaches of the Australian Privacy Principles

The Bill also introduces a civil penalty provision for breaches of specific obligations in the Australian Privacy Principles (APPs) and non-compliant eligible data breach statements. Breaches of non-specified APPs are only penalised in accordance with the penalties discussed above.

The relevant APP obligations are administrative in nature and are easily identified (and pursued). Breaches will be dealt with in four ways:

Pursued under one of the ‘interferences with privacy’ sections (either serious or non-serious) discussed above, which carry the largest penalties.
Treated as standalone breaches under the new section of the Privacy Act, which will attract smaller penalties.
By way of the Information Commissioner issuing an infringement notice, which will attract the smallest penalty.
By way of a discretionary compliance notice which provides an entity with practical and measurable steps to comply with their obligations. Compliance with a compliance notice can protect an entity from certain civil penalty orders.

The relevant APP obligations are set out in the below table.

APP	Description
1.3	Requirement to have APP privacy policy
1.4	Contents of APP privacy policy
2.1	Individuals may choose not to identify themselves in dealing with entities
6.5	Written notice of certain uses or disclosures
7.2(c)	Simple means for individuals to opt out of direct marketing communications
7.3(d)	Requirement to draw attention to ability to opt out of direct marketing communications
7.7(a)	Giving effect to request in reasonable period
7.7(b)	Notification of source of information
13.5	Dealing with requests

The applicable penalties for breaches of these obligations are set out in the below table.

Breach	Penalty
Serious interference with privacy	$2.5 million for a person other than a body corporate. For bodies corporate, the maximum penalty is an amount not exceeding the greater of $50 million; three times the value of the benefit obtained by the body corporate from the conduct constituting the serious or repeated interference with privacy; or, if the value cannot be determined, 30% of their adjusted turnover in the relevant period
Interference with privacy	2,000 penalty units ($660,000) for persons and 10,000 penalty units ($3.3 million) for bodies corporate
Dealt with standalone	200 penalty units for a person ($66,000) and 1,000 penalty units ($330,000) for a body corporate
Infringement notice issued	12 penalty units ($3,960) for a person, 60 penalty units ($19,800) for bodies corporate, and 200 penalty units ($66,000) for listed corporations
Failure to comply with compliance notice	200 penalty units for a person ($66,000) and 1,000 penalty units ($330,000) for a body corporate

For data breach statements, any entity will contravene the updated Privacy Act if it prepared an eligible data breach statement under section 26WK but the statement did not contain all of the information required by law to be included. The same remedies as set out above will be available for a breach of this section.

These amendments will apply in relation to acts done, or practices engaged in, after the commencement of the updates to the Privacy Act. This means that they will not operate retrospectively, giving organisations time to review their data collection and management practices and further ensure compliance with Australia’s privacy regime.

Monitoring and investigation

Under the current version of the Privacy Act, the Information Commissioner has a broad range of monitoring, assessment and investigation powers. This includes bespoke entry and inspection power, exercisable for the purposes of inspecting any documents kept at the premises for the purposes of the performance by the Information Commissioner of any of their functions under the Privacy Act.

Part 14 of the Bill amends the Privacy Act (as well as making consequential amendments to other legislation) to apply the standard monitoring and investigation powers contained in Part 2 and Part 3 of the Regulatory Powers (Standard Provisions) Act 2014 (Cth). These powers include entry, search and seizure powers that will complement the Information Commissioner’s existing powers in the Privacy Act.

These amendments are stated to be necessary, proportionate and reasonable for OAIC to enforce privacy protections and improve successful regulatory outcomes.

Public inquiries

Part 10 of the Bill provides the Information Commissioner with a new power to conduct public inquiries into specified matters relating to privacy on the direction or approval of the Minister.

This will enable the Information Commissioner to investigate systemic industry-wide acts and practices. The Information Commissioner will have the power to require the production of documents or information and will not be bound by the rules of evidence when conducting public inquiries.

Determinations following investigations

Part 11 of the Bill empowers the Information Commissioner to, following an investigation, issue a determination requiring a respondent to a privacy matter to perform any reasonable act or course of conduct to prevent or reduce reasonably foreseeable future loss or damage.

Federal Court orders

Part 9 of the Bill expands the powers of the Federal Court and Federal Circuit and Family Court beyond pecuniary penalties (the current limit of their powers).

If the Court has determined (or will determine) that an entity has contravened a civil penalty provision of the Privacy Act, the Court will be empowered to make any orders it sees fit, including:

an order directing the entity to perform any reasonable act, or carry out any reasonable course of conduct, to redress the loss or damage suffered, or likely to be suffered, by any individual as a result of the contravention;
an order directing the entity to pay damages to any individual by way of compensation for any loss or damage suffered, or likely to be suffered, by any individual as a result of the contravention;
an order directing the entity to engage, or not to engage, in any act or practice to avoid repeating or continuing the contravention; and
an order directing the entity to publish, or otherwise communicate, a statement about the contravention.

OAIC funding

While the Bill does not introduce any proposed industry funding model to support the increased functions of the OAIC, this may be proposed in future legislation by the Government.

Next steps

The Privacy and Other Legislation Amendment Bill 2024 introduces a large number of critical reforms that will affect all businesses.

The Bill, which will become an Act once it receives Royal assent, also introduces a new tort of serious invasion of privacy. In combination with the new Cyber Security Act 2024, these reforms create a significantly changed landscape for how companies manage and use personal information, and respond to cyber incidents.

Companies will need to ensure that their privacy, IT and cyber security policies and playbooks are updated and those changes implemented within their business.

Authors