The Australian Federal Government has announced a number of important amendments to the Privacy Act (Act) to be legislated later in 2019, which will, amongst other things, significantly increase the potential penalties for serious or repeated breaches for all entities covered by the Act.
Attorney-General Christian Porter, together with Minister for Communications and the Arts Mitch Fifield, made the announcement about the new penalty regime under the Privacy Act and other measures on 24 March 2019, saying the changes are intended to ensure Australians were protected online and that major social media companies took action to protect the personal information they collect about Australians, particularly children.
The amendments to the Privacy Act will increase penalties for serious or repeated breaches for all entities covered by the Act (including overseas social media and other online platforms operating in Australia) to the greater of:
- $10 million; or
- Three times the value of any benefit obtained through the misuse of information; or
- 10 per cent of a company’s annual domestic turnover.
This is a significant jump from the current maximum penalty of $2.1 million and mirrors the maximum penalties imposed under the Competition and Consumer Act 2010.
Other measures announced by the Government as part of this amendment package include:
- Providing an additional $25 million over three years to the Office of the Australian Information Commissioner (OAIC) to give it the resources it needs to investigate and respond to breaches of individuals’ privacy and oversee the online privacy rules with its new infringement notice powers, which will be backed by new penalties of up to $63,000 for bodies corporate and $12,600 for individuals for failure to cooperate with efforts to resolve minor breaches;
- Expanding other options available to the OAIC to ensure breaches are addressed through third-party reviews and/or the publishing of prominent notices about specific breaches to ensure those who are directly affected are advised;
- Requiring social media and online platforms to take all reasonable action to stop using or disclosing an individual’s personal information upon request; and
- The introduction of specific rules to protect the personal information of children and other vulnerable groups.
The amendments will also result in the creation of a new code for social media and online platforms trading in personal information, which will require those companies to be more transparent about any data sharing and to obtain more specific consent of users when they collect, use and disclose personal information.
In announcing the legislative changes, the Attorney-General said that “existing protections and penalties for misuse of Australians’ personal information under the Privacy Act fall short of community expectations, particularly as a result of the explosion in major social media and online platforms that trade in personal information over the past decade… This regime will update our privacy laws without impeding the continued innovation and development of companies working in the online space.”
The proposed changes follow in the wake of the EU’s introduction of the General Data Protection Regulation (GDPR), which became law in May 2018 and had far-reaching consequences, requiring many businesses outside of the EU – including many in Australia – to take steps to avoid the significant penalty regime introduced by that regulation. It remains to be seen whether the proposed legislative arrangements now announced by the Australian Government will have a similar effect, notwithstanding their intended local application.
This new regime also follows other recent Government initiatives with respect to online safety and user control over personal data, including the National Data Breach Scheme which commenced in February 2018, the Online Safety Charter and Online Safety Research program announced in December 2018, and the Consumer Data Right (CDR) which was announced in May 2018 and due to commence in the banking sector in July 2019. Following the implementation of the CDR in the banking sector, it will then be rolled out to the energy and telecommunications sectors. The CDR represents a significant shift from the existing privacy law regime, which has tended to leave control over data in the hands of the regulators – by contrast, the CDR aims to allow consumers more control over and access to their private data, and replicates some of the data subject rights found in the GDPR.
The legislation introducing these further, newly-announced Privacy Act changes will be drafted and released for consultation in the second half of 2019, presumably after the issue of the final report into the current Digital Platforms inquiry by the Australian Competition and Consumer Commission, which is presently anticipated to occur in June 2019. Whilst that inquiry has focused mostly on the impact of large digital media platforms on competition in news media, it has also touched on some online privacy-related issues – for example, in its interim report late last year, the ACCC recommended a tougher penalty regime, such as that which has now been announced by the Government.
Given the breadth of the potential application of the changes it is expected that they will have a significant impact for a number of Australian businesses, particularly those trading in personal data. Of course, the full extent of the impact will not be known until the draft legislation is released. Until then, it will be a case of watch this space… and perhaps give your data breach plan another once-over in the meantime!
If you have any queries, please contact the Privacy Law team at HWL Ebsworth Lawyers.
This article was written by Peter Campbell, Partner and Rebecca Sandford, Special Counsel.
P: +61 8 8205 0836
P: +61 8 8205 0535