Recent high profile data breaches have renewed the Government’s focus on updating the Privacy Act 1988 (Cth) (Privacy Act), the centrepiece of Australia’s privacy regime.
A refresh of the Privacy Act has been on the cards since 2019, with the most recent notable progress in October 2021, with the then-Government releasing an exposure draft Bill proposing targeted amendments to the Privacy Act, along with a Discussion Paper contemplating further changes. We wrote about these proposed changes at the time in our article here.
A year on, and following the significant data breaches coming out of Optus and Medibank, Australia’s new Government is seeking to fast track a number of changes. On 26 October 2022, Attorney-General, Mark Dreyfus, tabled the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) in Parliament.
The Bill takes one of the core elements of last year’s exposure draft, by significantly increasing the maximum penalties for breach, though to an even greater degree than previously proposed.
Other amendments from the Bill include:
- expansion of the test which determines whether a foreign entity has an ‘Australian Link’ (and thus, is required to comply with the Privacy Act);
- enhanced enforcement powers, including:
- wider information collection powers for the Office of the Australian Information Commissioner (OAIC) in respect of information collection and compliance assessments; and
- new enforcement powers, allowing the OAIC to require entities to conduct external reviews of their internal procedures and to publish notices about specific privacy breaches to affected individuals; and
- information sharing powers between the OAIC and the Australian Communications and Media Authority.
We take a deeper look at each of these below.
The ‘Online Privacy Code’ for social media and other large online platforms proposed as part of last year’s exposure draft does not form part of this new Bill.
There are also no changes to the Australian Privacy Principles (APPs) proposed as part of this Bill, but these could form part of further reforms which are expected next year.
Section 13G is the key penalty provision under the Privacy Act, capturing entities which do an act or engage in a practice that is:
- a serious interference with the privacy of an individual; or
- an interference with the privacy of one or more individuals.
Under the Bill, maximum penalties will significantly increase as follows:
|Body Corporate||2,000 penalty units (currently $2.22 million)||The greater of:
|Other entities and individuals||2,000 penalty units (currently $444,000)||$2.5 million|
These amounts align with recent penalty increases under the Australian Consumer Law.
Attorney-General Mark Dreyfus has commented that ‘significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It’s not enough for a penalty for a major data breach to be seen as the cost of doing business.’ However, we are yet to see an instance where the previous maximum penalty has been imposed (although there remains a chance that this will be the case in the OAIC’s pending enforcement action against Facebook).
The increased penalties also only apply to the most serious or repeated interferences with privacy, and there remains scope for more graduated penalties for lower level breaches. Last year’s discussion paper floated:
- a ‘mid-tier‘ civil penalty provision, with lower maximum penalties; and
- an infringement notice regime for certain ‘low-level‘ breaches of the APPs.
These developments are not part of this current Bill.
Capturing more foreign entities
The Privacy Act captures a foreign entity where that entity has an ‘Australian Link’. To have an ‘Australian Link,’ the entity is currently required to:
- carry on business in Australia (including an external Australian territory); and
- collect or hold the personal information in Australia.
The Bill proposes to remove the latter part of the test, and would remove the requirement that personal information needs to be collected or held in Australia. Therefore, any foreign entity carrying on a business in Australia would be captured.
The Explanatory Memorandum explains that the amendment is ‘to reflect that in the digital era, organisations can use technology such that they do not collect or store information directly from Australia’.
This appears to be attempting to remove the ambiguity in establishing whether an entity collects or uses personal information in Australia, which has been a key point of dispute in the OAIC’s recent enforcement action against Facebook’s US entity in the Federal Court.
However, without the stipulation that the Privacy Act only applies in relation to information collected or held in Australia, the requirements of the Privacy Act arguably would apply to all activities of a foreign entity (even those entirely external to Australia, not involving Australian data) if it conducts any business whatsoever in Australia.
If adopted, this amendment is likely to have far-reaching consequences capturing a broad range of entities which have even a modest Australian business presence, and foreign entities will need to be increasingly vigilant around their compliance with the Australian privacy laws.
Enhanced enforcement powers
The Bill proposes to provide the Commissioner with broader powers to collect information and conduct assessments of an entity’s compliance with the Privacy Act’s Notifiable Data Breaches Scheme (Data Breach Scheme) which commenced in February 2018. These proposals largely reflect changes floated in the exposure draft a year ago.
- The Commissioner would be able to request information or documents from an entity, or require an entity to answer questions, in respect of:
- an actual or suspected eligible data breach; and/or
- the entity’s compliance with the requirement to make a notification of eligible data breaches.
- The information, documents or questions the Commissioner may request or ask are broad, and extend to enquiring if the entity is required to comply with the Data Breach Scheme and the steps taken to comply with the Data Breach Scheme. The Commissioner will also have broad powers to take possession to take and make copies of records.
- Where an entity receives notice to provide such information, failure to lawfully comply with the notice would be subject to the new infringement notice power (discussed below).
The Bill would provide the Commissioner with a new power to issue an ‘infringement notice’ for non-compliance with the requirement to give information, or provide a document or record when required, in the course of an investigation being conducted by the Commissioner (Infringement Notice Power).
Section 66 of the Privacy Act already creates a criminal offence where a person refuses to or fails to give information, or answer a question or produce a document or record when required to do so under the Privacy Act. The introduction of the Infringement Notice Power is intended to provide an alternative means of resolving these matters without resorting to the prosecution of a criminal offence, or the litigation of a civil matter.
The current penalties under section 66 for basic contraventions are also being lifted, as follows:
|Body Corporate||100 penalty units ($22,200)||60 penalty units ($66,600)|
|Other entities and individuals||20 penalty units ($4,440)||60 penalty units ($13,320)|
A new class for ‘multiple’ contraventions will also be introduced, with a penalty of 300 penalty units ($333,000 for bodies corporate, or $66,600 for other entities).
The declarations that the Commissioner can make in a determination have also been expanded to require the entity to provide notice of conduct which has interfered with the privacy of an individual.
This may include requiring the entity to prepare a statement including:
- the conduct that led to the interference of privacy and the steps they have taken or will take to remediate the contravention;
- the steps undertaken to ensure the conduct is not repeated; and
- any other information required.
The statement may be published or a copy provided to the complainant or, in the case of a representative complaint, to each affected class member.
The Bill also proposes to extend of the Commissioner’s capacity to share information, including a new power (subject to specific limitations) to share information with:
- an enforcement body;
- an ‘alternative complaint body’; and
- State, Territory or foreign privacy regulators.
Some limitations will not be applicable to the extent that the disclosure is in the public interest.
The Commissioner will be able to share information for the purpose of the Commissioner, or receiving authority, exercising any of their respective functions and powers. Importantly, information sharing is not limited to sharing information in the context of transferring a complaint to another body.
The Commissioner’s will able be able to publish certain information on the OAIC’s website. This would include the ability to confirm whether the OAIC has received notice of an eligible data breach, and disclose information regarding assessment reports, section 52 determinations and enforceable undertakings without needing to meet a public interest test.
Notably, the Online Privacy Code suggested as part of the 2021 consultation (and discussed in our recent privacy article here) has not been included. Being a considerable feature of the previous Government’s privacy refresh proposal, it will be interesting to see whether the new Government will pick up this issue in future.
The 2021 Discussion Paper also put forward a range of potentially very substantial amendments to the Privacy Act for consideration, with some of the most radical proposals including:
- an ability for individuals to directly bring action for breach of the APPs (rather than merely making a complaint to the Commissioner);
- a potential statutory tort for invasion of privacy, which would apply in instances of highly offensive conduct, separate and distinct from the requirements of the APPs;
- changing the definition of ‘personal information’;
- strengthening requirements around consent under the APPs;
- changing elements of the APPs dealing with how personal information is collected, held, used and disclosed;
- adding new rights for individuals, such as a right to erasure;
- differentiating between children and adults; and
- creating rules to apply to certain prescribed high risk practices.
Attorney-General Dreyfus stated in July that his Department is due to deliver its report off the back of the Discussion Paper by the end of this year.
Privacy issues can be thorny to unravel, and will be increasingly important to get right if these increased penalties become law. Our privacy law team has vast experience in advising clients on how best to meet their obligations under the Privacy Act and the Australian Privacy Principals. Have a question about privacy or the new privacy proposals? Contact HWLE today!
This article was written by Daniel Kiley, Partner, and Kayla Costa, Solicitor.