The Australian Privacy Commissioner has long been (somewhat unfairly) referred to as a “toothless tiger”.
But the proposed reforms to the Privacy Act introduced by the Labor Government mean the Privacy Commissioner is toothless no more. The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Cth) introduced by the Labor Government on 26 October 2022 is a targeted response to the recent highly-publicised and significant data breaches in Australia. As forewarned by Attorney-General Mark Dreyfus, the bill does what it says on the tin: It significantly increases penalties, strengthens the notifiable data breaches scheme and boosts the Privacy Commissioner’s investigative and enforcement powers.
Proposed reforms
Organisations bound by the Privacy Act need to know about 5 key proposed amendments that will change the risk profile of privacy breaches in Australia and have a number of operational implications for managing data breach response and privacy management frameworks.
1. Significant increase in penalties
The bill increases penalties under the Privacy Act for serious or repeated interferences with privacy to amounts that are significantly higher than anticipated. The maximum civil penalty for an organisation is increased from the current $2.22 million to the greater of:
- $50 million;
- three times the value of any benefit obtained directly or indirectly through the privacy breach (if a court can determine this amount); or
- 30% of adjusted turnover (the sum of the values of all supplies that the organisation and any related body corporate made or is likely to make) during the relevant period (this will depend on the duration of the privacy breach). There are some exclusions from the calculation – see section 13G(5).
These penalties are not limited to significant data breaches – the increased penalties apply to any serious or repeated breaches of any of the Australian Privacy Principles (APPs) or the mandatory data breaches scheme. This could include, for example, serious or repeated over-collection of personal information (where not reasonably necessary for the organisation’s functions or activities), or not having practices, procedures and systems in place to handle personal information, or deal with privacy complaints, in accordance with the APPs.
2. Notifiable Data Breaches scheme strengthened
The bill strengthens the existing mandatory data breach notification scheme in Part IIIC of the Privacy Act (NDB scheme) by empowering the Privacy Commissioner to gather information to assess an organisation’s compliance with the requirements of the NDB scheme.
The Privacy Commissioner will have new powers to:
- Require an organisation to provide information or documents, or answer questions, in relation to an actual or suspected eligible data breach of the organisation or compliance with the NDB scheme. Notably, the bill proposed that a notice can be given under this new s26WU in relation to an actual or suspected eligible data breach that occurred, or may have occurred, before or after the commencement of the reforms. This is a significant departure from the current NDB scheme. Currently, an organisation makes its own assessment under the NDB scheme as to whether a data breach is an ‘eligible data breach’ that requires notification to the OAIC and affected individuals.
- Issue infringement notices if an organisation fails to provide the information when required, without the need for court proceedings. Failing to give information, answer a question or produce a document or record where required under the Privacy Act carries civil penalties.
- Conduct an own-motion assessment as to an organisation’s ability to comply with the NDB scheme, including the extent to which the entity has processes and procedures in place to assess eligible data breaches and provide notices to the OAIC and affected individuals.
The strengthening of the NDB scheme is, according to the Explanatory Memorandum, to enable the Privacy Commissioner to make its own assessment as to whether there is a likely risk of serious harm to affected individuals and, if such harm is not prevented or remediated, requires notification.
3. Enhanced enforcement powers
There are a number of other proposed “boosts” to the Privacy Commissioner’s powers, including powers to:
- Publish notices about specific breaches of privacy (subject to a public interest test) or otherwise ensure those directly affected are informed.
- Publish determinations following investigation of a privacy complaint on the OAIC website. The Privacy Commissioner can also require the organisation to take steps following a determination of an interference with privacy, including notifying the complainant within 14 days of the determination.
- Compel APP entities to undertake external reviews to improve their privacy practices to reduce the likelihood of them committing a breach again, with the requirements expanded to require consultation with the OAIC and providing a copy of the review to the OAIC.
4. Expanded extra-territorial application
Currently, the Privacy Act applies to overseas organisations with an “Australian link”. This is where the overseas organisation: (1) carries on business in Australia; and (2) collects or holds personal information in Australia.
The bill will amend the existing extra-territorial provisions to remove the second limb, that is, there will no longer be a requirement for personal information to be collected or held in Australia at the time of the relevant act or practice that is alleged to be in breach of the APPs.
The question of whether there was an “Australian link” was a key issue in the OAIC’s actions against Facebook. This reform quashes any uncertainty that may have remained as to the extra-territorial application (and enforcement) of the Privacy Act where the processing of Australian’s personal information is not directly from a source in Australia (such as where processed on servers offshore).
5. Regulator information sharing
Consistent with increased examples of co-regulatory activity in Australia and overseas, the bill gives the OAIC and the Australian Communications and Media Authority greater information-sharing powers. The OAIC will also be able to share information with enforcement bodies, alternative complaint bodies (including the eSafety Commissioner) and other State and Territory, and overseas, privacy regulators to “exercise their functions and powers”. This information sharing is not limited to the context of a privacy complaint.
Tip of the iceberg
We know that the reforms in this bill are intentionally targeted and only the tip of the “privacy reform” iceberg.
There are likely to be more broad-ranging reforms in the near-future. The Attorney-General has made clear that his Department’s review of the Privacy Act will recommend further reforms to the Privacy Act “to ensure Australia’s privacy framework protects the personal information of Australians, supports an innovative economy and responds to new challenges in the digital age”.
What should organisations do now?
Many organisations take a “risk-based” approach to privacy compliance and privacy management frameworks. It is perhaps stating the obvious, but the significantly increased penalties and enhanced regulatory powers will change the risk profile for many Australian organisations bound by the Privacy Act.
In addition to conducting a general “privacy health check”, organisations should:
- Re-visit risk registers, privacy impact assessments for “high risk” activities and key business process outsourcing and supplier agreements.
- Ensure an up-to-date and trained on data breach response plan that meets the requirements of the NDB scheme and considers how the organisation will respond to the Privacy Commissioner’s new information gathering powers.
- Review their cyber insurance policy and consider whether the coverage (and exclusions) remain appropriate.
- Calculate and know what the adjusted turnover is for your organisation during a sample period.
The Government has expressed a clear intention to “take privacy seriously” and this bill is a clear message that Australian organisations need to do so too.
For more information, please contact Sophie Bradshaw, Sarah Gilkes, Alex Ninis or Simon Carrodus.