Key take aways

• There are now increased penalties for entities for serious or repeated interferences with the privacy of one or more individuals.
• The OAIC and ACMA now have greater powers to request and share information, as well as issue infringement notices to non-complying entities.
• Businesses should expect more reforms following the release by the Australian Attorney-General’s Department of the Privacy Act Review Report.
• Businesses should go “back to basics” to ensure compliance with the Privacy Act by conducting a review into their current privacy policies and procedures.

The recent amendments

The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth) came into force on 13 December 2022. (Act). The Act amends the Privacy Act 1988 (Cth) (Privacy Act), Australian Communications and Media Authority Act 2005 (Cth) and Australian Information Commissioner Act 2010 (Cth). The amendments:

• increase penalties for serious or repeated interferences with privacy;
• enhance the Office of the Australian Information Commissioner’s (OAIC) enforcement powers; and
• provide OAIC and the Australian Communications and Media Authority (ACMA) with greater information sharing powers.

Following high profile cyber incidents in Australia last year and as recently as this week, it is clear from the introduction of these amendments that the Australian Government will be taking a tougher stance on businesses and requiring them to take greater steps in protecting individuals’ data.

Increase in penalties for serious or repeated privacy interferences

The Act brings the increased penalty amounts into alignment with recently amended competition and consumer penalties as well as international penalties under Europe’s General Data Protection Regulation. The increased penalties for serious and repeated interferences with privacy are:

• for a person other than a body corporate, AUD 2.5 million; or
• for a body corporate, the greater of:
  • AUD 50 million
  • If the court can determine the value of the benefit obtained – three times the value of that benefit
  • If the court cannot determine the value of the benefit obtained – 30% of the body corporate’s adjusted turnover during the breach turnover period.

These penalties apply to all “serious” and “repeated” interferences with privacy. What constitutes a “serious” interference will be determined objectively by considering matters such as the sensitivity of the information that may be the subject of a data breach. A “repeated” interference will involve two or more independent occasions where an entity has interfered with an individual’s or individuals privacy.

The penalties do not only apply to a data breach but also breaches of an entity’s obligations under the Australian Privacy Principles (APP) – which states that an APP entity must not do an act, or engage in a practice, that breaches an Australian Privacy Principle. This could involve a business’ unauthorised collection of sensitive information.

An APP entity refers to any business that generates over $3 million in annual turnover. Generally, this relates to an organisation or government agency. However, there are some exceptions which could deem a small business operator an APP entity.

Enhancement of OAIC and ACMA powers

The amendments within the Act strengthens the OAIC’s enforcement powers.

Firstly, the OAIC will be able to request entities to provide information surrounding an existent or alleged breach or the Notifiable Data Breach scheme. This could be provided through documents, records, or answers to questions. Additionally, the OAIC will be able to issue infringement notices for businesses who have demonstrated non-compliance with these requests.

Secondly, the Act expands on the OAIC’s current power to release declarations regarding the entity’s required steps to rectify the interference of individual privacy. The OAIC can require the entities to prepare and publish detailed statements surrounding the conduct and measures taken to prevent a repeat of the breach. The OAIC is also able to instruct businesses to employ a proficient adviser to assist in the navigation of this process.

The powers of both the OAIC and ACMA in terms of sharing information will also be enhanced. The Commissioner now can publish certain information under the condition that it is in the public interest to do so and both the OAIC and ACMA will be able to share information with relevant enforcement bodies.

The Privacy Act Review Report

 The Australian Attorney-General’s Department released the Privacy Act Review Report on 16 February 2023 and set out 116 proposals to strengthen the protection of personal information and the control individuals have over their information. The report states that the proposals are designed to align Australia’s laws with global standards of privacy in other jurisdictions such as Europe and the UK.

The deadline for providing feedback on the Privacy Act Review Report expired on 31 March 2023 and so businesses should expect more reforms later this year once the Government has considered feedback and completed the review process.

What steps should businesses take?

It is currently Privacy Awareness Week and this year’s theme is to get “back to basics” for understanding your privacy obligations and implementing appropriate procedures.

With this theme in mind, it is imperative that businesses:

• undertake an audit and understand the data you hold (customer personal information, employee health information etc.);
• destroy or de-identify data which is no longer required;
• assess and understand your privacy risks;
• review, update, or amend your data handling practices – including simplifying your privacy policy;
• know your obligations and ensure compliance with the Privacy Act and APP;
• train your staff; and
• prepare for data breaches.