By Geoffrey McCarthy, Special Counsel

Australian privacy laws have been strengthened with the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (‘The Bill’, or ‘The Act’),[1] being passed by Parliament on 28 November 2022. The amendments will come into effect on 13 December, being the day after the Bill received royal assent.

Key Takeaways:

• The Office of the Australian Information Commissioner (OAIC) receives increased investigatory powers and enhanced data-sharing capabilities.
• The Bill significantly increases penalties for serious and or repeated privacy breaches.
• Greater powers for the OAIC to resolve breaches is given.
• The Bill’s amendments broaden definitions to increase the application of Australian privacy law to overseas organisations, operating within Australia.

Federal Parliament has acted to strengthen the legislative regime and increase penalties for privacy breaches. The Government is also awaiting the outcome of a privacy related review pre-dating the recent data breach scandals, so further changes to the Act may be forthcoming as a result.

These recent high-profile data breaches have increased public awareness around cyber security, so it is important that businesses act accordingly to maintain public good-will and bolster their customers’ confidence in the business’ ability to uphold the privacy of their data. Entities need to understand preventative measures they can put in place to eliminate these risks. This article will discuss the various changes made by the Bill including new powers, enforcement measures and penalties, and why changes to the Privacy Act were necessary to minimise the risk and potential damage of data breaches and cyber-attacks.

Key Objectives

The Bill promotes the right to privacy by strengthening legal protection against unlawful interference with privacy, and addresses the following four key objectives:

• Increase penalties for serious or repeated privacy breaches;
• Provide the OAIC enhanced powers to request information and conduct compliance assessments of the notifiable data breach regime;
• Give the OAIC new enforcement powers, allowing the OAIC to require entities to conduct external reviews of their internal procedures and to publish notices about specific privacy breaches to affected individuals; and
• To introduce new information sharing powers for the OAIC and the Australian Communications and Media Authority (ACMA).

At the heart of the Act’s changes is a focus on ensuring that the enforcement mechanisms and penalties available to the Commissioner are adequate to protect the privacy of Australians. The OAIC Notifiable data breaches report January to June 2022,[2] highlights the need for organisations to have robust information handling practices and an up-to-date breach response plan to minimise the risk of harm. Contact information, identity information and financial details continue to be the most common types of personal information involved in data breaches. Malicious or criminal attack was the top cause of data breaches notified by the top 5 most targeted sectors (by number of notifications), being health service providers, finance (including superannuation), education, legal, accounting and management services as well as recruitment agencies.

In the period from January to June 2022, the OAIC was notified of 396 data breaches which represents a 14% decrease compared to July to December 2021. However, with data breaches now at the forefront of public attention, businesses should not allow the decrease in incidents to create a false sense of security. Health remains the highest reporting sector notifying 20% of breaches, followed by finance (13%). Forty-one per cent of all breaches (162 notifications) resulted from cyber security incidents. The top sources of cyber incidents were ransomware (51 notifications), phishing (42 notifications) and compromised or stolen credentials (method unknown) (40 notifications).

Greater enforcement powers for the Office of the Australian Information Commissioner

The OAIC has been provided with enhanced enforcement and information gathering and sharing powers and will also be able to share information publicly if it is in the public interest to do so. The Act, as amended, provides the OAIC with enhanced enforcement powers, including by:

• Expanding the types of declarations that the Commissioner can make in a determination at the conclusion of an investigation;
• Enhancing the extraterritorial jurisdiction of the Privacy Act to ensure the same obligations under the Act apply to foreign organisations carrying on a business in Australia;
• Providing the Commissioner with new powers to conduct assessments;
• Providing the Commissioner new infringement notice powers to penalise entities for failing to provide information, without the need to engage in protracted litigation; and
• Strengthening the Notifiable Data Breaches scheme to ensure the Commissioner has comprehensive knowledge of the information compromised in an eligible data breach to assess the particular risk of harm to individuals.[3]

Extended information gathering and sharing powers

The amended Act enhances the Commissioner’s ability to share information by:

• Clarifying that the Commissioner is able to share information gathered through the Commissioner’s information commissioner functions, freedom of information functions and privacy functions;
• Providing the Commissioner with the power to disclose information or documents with an enforcement body, an alternative complaint body, and a State, Territory, or foreign privacy regulator for the purpose of the Commissioner or the receiving body exercising their powers, or performing their functions or duties; and
• Providing the Commissioner with the power to publish a determination or information relating to an assessment on the Commissioner’s website and disclose all other information acquired in the course of exercising powers or performing functions or duties if it is in the public interest.

Extraterritorial application of the Act

The Bill removes the requirement for an organisation to collect or hold personal information in Australia for the Act to apply, and there will be significant flow-on effects of this change. The intention of the change is to ensure that organisations that carry on business in Australia but do not themselves directly collect or hold personal information in Australia, can nonetheless be caught by the Act.

For example, this might occur where an offshore entity with business operations in Australia only handles personal information by virtue of it receiving that personal information from another entity also located outside of Australia. The Act’s amendments extend its operation to all acts done or practices engaged in by overseas entities which carry on business in Australia, irrespective of whether the acts or practices relate to individuals located in Australia. An international organisation is required to comply with the Act in respect of its entire global operations, including in relation to individuals located in other jurisdictions.

Angelene Falk, Australian Information Commissioner and Privacy Commissioner stated that the ‘simplification of the extraterritoriality in section 5B of the Privacy Act as proposed by the bill’ will assist with ensuring that foreign domiciled companies carrying on business in Australia are still required to comply with Australia’s privacy law.[4] Changes to the legislation work to optimise the processes required of the Commissioner to enforce the law, and to prevent overseas companies from avoiding the jurisdiction of the Privacy Act based on technicalities.[5] The legislative change to the regime, therefore, incentivises regulatory compliance and bolsters the ability for the regulator to enforce privacy law.

Penalties

Currently, the OAIC can seek civil penalties through the Federal Court for a serious and/or repeated interference with privacy. The amendments increase the maximum penalty for bodies corporate for serious or repeated privacy breaches from the current $2,220,000.00 to whichever is the greater of:

• $50 million;
• if a court can determine the value of the benefit that the body corporate (and its related bodies corporate) directly or indirectly obtained from the contravention – 3 times the value of that benefit; or
• if the court cannot determine the value of that benefit – 30% of the adjusted turnover of the body corporate during the breach turnover period (minimum 12 months) for the contravention.

The amended legislation ensures that the penalties align with Australian consumer and competition legislation, which has recently also increased penalties to $50 million. It also increases the penalties available for serious or repeated privacy breaches for non-bodies corporate, up from $444,000.00 to $2.5 million.[6] It should be noted that the quantum of available penalties is the only aspect of the penalties amended.

What you need to do

If a business is bound by the Act, steps must be taken to ensure it is following the Australian Privacy Principles. Businesses must:

• Prepare, adopt and publish a written Privacy Policy that complies with Australian privacy law;
• Adhere to the principles for data and personal information collection, use and disclosure;
• Maintain sufficient security over data collected and stored by the business (e.g. ensuring adequate IT security is in place to decrease risk of authorised access, use or loss of data);
• Developing response systems and strategies to prevent and mitigate data breaches; and
• Comply with applicable Notifiable Data Breach requirements.

Next steps

The Bill gives the OAIC powers to take on a more active role in monitoring and enforcing the Act, by assisting businesses to improve their compliance with the Act. We recommend that all who are required to comply ensure that privacy policies are up to date and clearly outline the information to be collected, its use and how the person will ensure protection. Mills Oakley can provide expert advice in this field and would be pleased to guide you through any questions you may have.

[1] Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022

[2] Australian Government, Notifiable data breaches report January to June 2022, 10 November 2022.

[3] The Parliament of the Commonwealth of Australia, House of Representatives, Explanatory Memorandum, Privacy Legislation Amendment (Enforcement And Other Measures) Bill 2022.

[4] Evidence to Legal and Constitutional Affairs Legislation Committee, Parliament of Australia, Canberra, 17 November 2022, Angelene Falk, Australian Information Commissioner and Privacy Commissioner; Office of the Australian Information Commissioner, ‘OAIC welcomes passing of Privacy Bill’ (Press Release, Office of the Australian Information Commissioner, 29 November 2022).

[5] Ibid.

[6] Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022; Privacy Act 1988 (Cth) s 13.