Federal parliament approves massive increases in penalties for privacy breaches

Recent cyber-attacks such as the Optus data breach have affected millions of Australians and driven privacy reforms in Australia to move at a record speed. We have previously discussed the world-leading privacy penalty regime and the extended privacy long-arm jurisdiction introduced by the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Cth) (Bill) amending Australia’s Privacy Act 1988 (Cth) (Privacy Act). 

The Bill passed both Houses of Parliament on 28 November 2022 without major amendments and will be effective following assent by the Governor-General, which is expected to take place imminently. 

Various political parties and industrial groups made submissions and recommendations to the Bill. Although not accepted in the final Bill, these submissions provide indications of how Australia’s privacy reform may develop. The Federal Government has committed to revisit the issues raised as part of its ongoing review of the Privacy Act, to be completed by the end of this year.

Key debates over the Bill

Penalty for serious and repeated interference of privacy

The Bill significantly increases the maximum civil penalty for serious or repeated interference with privacy as reflected below:

_{* ‘Adjusted turnover’ means the sum of the value of all supplies made by the entity in connection with Australia. The ‘breach turnover period’ begins at the start of the month in which the offence or contravention occurred or began occurring, and ends at the end of the month in which it ceased – subject to a minimum ‘breach turnover period’ of 12 months.}

Submissions to the Bill generally supported the heightened penalty as a necessary increased deterrence for privacy violations. However, there were calls for:

• clear definitions for the terms ‘serious’ interference and ‘repeated’ interference, or at least factors to be considered when a court determines penalty amounts, including:
  
  
  • whether a breach was the result of deliberate, reckless, or negligent behaviour on the part of the entity;
    
    
  • whether an entity was compliant with recognised or prevailing standards for security and had robust privacy frameworks in place;
    
    
  • whether an entity acted promptly to investigate the matter, sought appropriate expert assistance, and worked in good faith to address harms to citizens; and
    
    
  • whether an entity disclosed the breach at an appropriate time to mitigate damage to all involved;
    
    
• a tiered approach to penalties, proportionate to the seriousness and frequency of breaches, the size of an entity and the nature of its work;
  
  
• a safe harbour mechanism, whereby entities that take reasonable steps to protect personal information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure, would not be penalised; and
  
  
• clarity on the meaning of “benefits” which may be obtained or attributable to a privacy breach.

Extraterritorial application

The Privacy Act applies to foreign entities that have an ‘Australian link’. The Bill removes the requirement for an entity to collect or hold personal information in Australia in order to have an Australian link. In essence, this expands the extraterritorial application of the Privacy Act to all foreign entities that carry on business in Australia. 

Some submissions considered this change to be unnecessarily broad as it captures all the privacy practices of foreign entities operating in Australia, including those that affect citizens of other nations who do not have any direct connection with Australia.

New powers for the Australian Information Commissioner

The Bill provides new powers to the Australian Information Commissioner to issue infringement notices with civil penalty to entities who fail to answer questions or provide information, documents or records. These extended powers were not heavily debated.

What comes next?

A lot has happened in Australia’s privacy space and there is certainly more to come, including the long-awaited reforms to the Privacy Act which may:

• broaden the definition of ‘personal information’;
  
  
• uplift requirements on an entity’s privacy policy;
  
  
• provide new requirements on collection notices;
  
  
• narrow the bases on which entities are permitted to collect, use and disclose personal information;
  
  
• further regulate direct marketing activities;
  
  
• afford data subjects greater data access and erasure rights;
  
  
• prescribe new requirements for information security and overseas data flow; and
  
  
• introduce a direct right of action for individuals to seek compensation for an interference with their privacy.

The key debates that occurred over the Bill, highlighted above, will also be considered as part of the reform.

Alongside the reforms, the Government is also considering criminalising the payment of ransoms to hackers, with a view to reducing the profitability of cybercrime in Australia.

Once the Government‘s final report containing recommendations for this broader reform is published by the end of 2022, entities should prepare for the upcoming change by: 

• identifying the gaps between the entity’s existing privacy policies, procedures and documentation and the recommendations contained in the final report;
  
  
• mitigating these gaps by updating the entity’s privacy policies, procedures and documentation;
  
  
• reviewing the effectiveness of their cyber controls, strategies and practices;
  
  
• evaluating their approach in preparing for and managing cyber incidents; and
  
  
• reviewing their cyber insurance coverage and policies.