In the words of its own Attorney-General, Australia's privacy laws were “out of date and not fit-for-purpose”. After recent amendments, they now stand to contain one of the world’s toughest data breach penalty regimes. So, what has changed?
The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the “Bill”) received Royal Assent on 12 December 2022. It amends Australia’s long-standing foundational legislation, the Privacy Act 1988 (Cth) (“Privacy Act”).
The Bill increases the maximum penalties for serious or repeated privacy breaches from the current AUS$2.22m penalty (roughly £1.25m) to whichever is the greater of:
- AUS$50 million (roughly £27.5m);
- three times the value of any benefit obtained through the misuse of information; or
- 30 per cent of an organisation’s adjusted turnover in the relevant period.
Increased Regulator Powers
The Bill will also provide the Office of the Australian Information Commissioner (OAIC) with greater powers, including:
- to request information and documents in relation to an eligible data breach;
- to assess whether an entity is compliant with its obligations to notify the OAIC of an eligible data breach;
- to issue infringement notices for entities that fail to provide the requested information or documents in relation to an eligible data breach;
- to share information obtained under the Privacy Act with other enforcement bodies (including governments of other countries); and
- to disclose information to the public where it is in the public interest to do so.
The Bill also amends the extra-territorial application of the Privacy Act. It removes the requirement that an organisation has to collect or hold personal information in Australia in order for the Privacy Act to apply to that organisation. This means that organisations based outside Australia, and with no Australian subsidiary, are now captured under the Privacy Act provided they carry on business in Australia.
The OAIC Commissioner commented that these changes in the Bill “will help ensure companies that carry on a business in Australia, while domiciled overseas, are required to comply with Australia’s privacy law”.
The big question is, why the sudden dramatic increase in fines, regulatory powers and extraterritorial scope relating to Australian privacy laws?
Some insight can be found in the Bill’s accompanying press release in which the Attorney General commented that "significant privacy breaches in recent months have shown existing safeguards are outdated and inadequate. These reforms make clear to companies that the penalty for a major data breach can no longer be regarded as the cost of doing business".
We can only the assume the Attorney General is referencing in part October’s data breach at Australian health insurance provider, Medibank, where data (including health data) of 9.7 million of its current and former customers was stolen and then later posted online by hackers, and the data breach involving Australian telecommunications giant Optus which resulted in about 10 million customers (40% of the Australian population) personal data being stolen in a cyber-attack.
These changes show how seriously the Australian Government are taking data privacy, particularly as it comes into force prior to the outcome of this year’s comprehensive review of the Privacy Act by the Attorney-General's Department.
This shift in attitude by the Australian Government towards greater data protection is not out of the blue. Back in August this year, Australia joined the Asia-Pacific Economic Co-operation (APEC) Cross-Border Privacy Rules (CBPR) system. The APEC CBPR is a framework designed to ensure cross-border data transfers between member countries can be carried out seamlessly. Its principles and operating mechanisms are similar to that of the EU Binding Corporate Rules established by the General Data Protection Regulation (GDPR).
Given the significant increase in potential penalties, along with the additional extra-territorial scope of the Privacy Act, organisations should act now to review their existing privacy policies and practices to ensure that they are compliant with Australian data privacy laws.
In the words of the Attorney General: "these new, larger penalties send a clear message to large companies that they must do better to protect the data they collect". If not, they may find themselves on a sticky wicket.