The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022
Summary
Following a tumultuous period in which a number of large companies have experienced significant and high profile data breaches, notably Medibank and Optus, the Federal Government last week introduced the Privacy LegislationAmendment (Enforcement and Other Measures) Bill 2022 (‘the Bill’). If passed, the Bill would:
· significantly increase the maximum penalties under the Privacy Act 1988 (‘Privacy Act’);
· expand the application of the Privacy Act to capture foreign organisations that capture personal information of Australians without necessarily having a physical presence in Australia;
· provide the Office of the Australian Information Commissioner (‘OAIC’) with enhanced enforcement powers; and
· provide the Australian Information Commissioner’s (‘Commissioner’) with greater information sharing powers.
The Bill, which is likely the first step towards broader reform of privacy law in Australia, will not only increase the potential consequences of non-compliance with the Privacy Act, but also equip the OAIC to take on a more active role in regulating privacy compliance in Australia.
Increase to penalties for serious or repeated privacy breaches
If passed, the Bill would increase the maximum penalty for serious or repeated breaches of the Australian Privacy Principles for individuals or unincorporated entities of $444,000 to $2.5m, and for an incorporated entity from $2.22m to the greater of:
· $50million;
· three times the benefit obtained by the entity or its related bodies corporate(directly or indirectly); or
· where value of the benefit obtained cannot be ascertained, 30% of the ‘adjusted turnover’[1]of the body corporate during the breach turnover period for the contravention(being a period of no less than 12 months from, and potentially longer).
Increased penalties under the Privacy Act have been contemplated by successive governments for several years, however it is noteworthy that the proposed penalties, which are consistent with the proposed maximum penalties under the Australian Consumer Law (ACL) in the TreasuryLaws Amendment (More Competition, Better Prices) Bill 2022, are significantly higher than those contemplated under the former Government’s draft Privacy Legislation Amendment (Enhancing Online Privacy and OtherMeasures) Bill 2021.
Whilst the spate of recent high profile data breaches appear to have spurned the Government into action, it is worthwhile noting that the increased penalties will not apply retrospectively to any past serious or repeated breaches of the Australian Privacy Principles.
Extra-Territorial Changes
The Bill also seeks to significantly expand the extra-territorial application of the Privacy Act by amending the current‘Australian link’ test (which determines whether an organisation is required to comply with the Privacy Act in relation to acts done outside Australia) by removing the threshold requirement that the organisation collects or holdsAustralians’ information directly from a source in Australia.
Whilst the removal of the requirement for the collection or holding of personal information to have occurred in Australia appears intended to remove ambiguity as to the extra-territorial application of thePrivacy Act, which has been subject to dispute in Federal Court action brought by the OAIC, the amendment may have the unintended consequence of extending the obligations of the Privacy Act to apply to the overseas collection of personal information of individuals located outside of Australia for any organisation who happens to carry out a business in Australia.
New Information Sharing Powers
The Bill also proposes to enhance the information sharing powers of the OAIC and the Australian Communication andMedia Authority (‘ACMA’) to facilitate greater cooperation and enhance their ability to respond to incidents.
· OAIC Information Sharing: TheBill will allow the OAIC to share information and documents with enforcement bodies, alternative complaint body or State, Territory or foreign privacy authorities to enable the OAIC, or the receiving body, to perform the irrespective functions. Information sharing will be subject to certain requirements, including requiring the OAIC to ensure the receiving body has satisfactory arrangements in place to protect any disclosed information.
· Public Disclosure of Information: TheBill will also allow the OAIC to publish information and documents publicly where it determines it is in the public interest to do so, subject to specified safeguards. As started in the Explanatory Memorandum, the intent of this power is to ensure Australians are informed about privacy issues and to reassure the community that the OAIC is discharging its duties.
· ACMAInformation Sharing: The Bill will grant the ACMA the power to share information with non-corporate government entities (as defined under the Public Governance, Performance and Accountability Act 2013) that are responsible for enforcing one or more laws of the Commonwealth.
Investigative and Enforcement Powers
The Bill will also equip the OAIC with a range of new investigative and enforcement powers to enhance its regulatory oversight of privacy in Australia, including:
· Powers to investigate compliance with Eligible Data Breach Scheme:The Bill will grant the OAIC the power to investigate, at any time, an entity’s compliance (or ability to comply) with the eligible data breach scheme, including an entity’s ability to assess suspected eligible data breaches, and to provide notices to the OAIC and affected individuals at risk from such breaches.
· Greater information gathering powers: The Bill will also enable the OAIC to request information or documents relating to an entity’s compliance an actual or suspected eligible data breach of an entity, or an entity’s compliance with the eligible data breach scheme. Such information can be requested at any time, and the OAIC is not required to provide an entity with a reasonable time to respond.
· Penalties for failing to provide information: The Bill replaces the current criminal penalty for for failure to provide information or to answer a question or produce a document or record with a civil penalty provision of up to $13,200 for an individual, or $66,600 for a body corporate, significantly streamlining the enforcement of minor failures without having to resort to prosecution of a criminal offence. To address the potential for recalcitrant entities who engage in a system of conduct or pattern of behaviour resulting in two or more failures to provide information or to answer a question or produce a document or record, a new criminal offence is proposed with a penalty of up to $66,600, which may be referred to the CommonwealthDirector of Public Prosecutions.
· New powers to make determinations: TheBill also expands the determinations the Commissioner can make to include issuing a determination requiring an entity to prepare, publish or communicate a statement about the conduct constituting an interference with an individual’s privacy that was subject of a compliance, including containing any steps taken by the entity to ensure the conduct is not repeated or continued and / or a determination requiring an entity to engage with the Commissioner or a suitably qualified independent adviser to review the entities’ practices that were the subject of the complaint to ensure that the conduct constituting an interference with privacy is not repeated or continue.
· DelegationPowers: The Bill will also permit the Commissioner to delegate the power to make determinations following an investigation to senior OAIC personnel, streamlining the determination process.
Interestingly, many of these enhanced powers will apply retrospectively to investigations into historic incidents that have already occurred, as well as information that was already held by the OAIC.
Final word
Whilst many of the amendments outlined in theBill have been previously explored or flagged, we note the increased penalties and investigative powers granted to the OAIC, coupled with the increased funding for OAIC investigations flagged in the Government’s recent OctoberBudget (including $5.5m over two years for investigation of the Optus cyber incident) suggests a growing level of Government (and public) expectation that the OAIC will take a more active role in regulating privacy in Australia.
Noting the potential for an increasingly active OAIC, the proposed increased penalties for non-compliance, the significant financial and reputational impact of data breaches on organisations and the near certainty of additional amendments to the Privacy Act in the future, organisations are advised to review and updating their data and privacy practices (including their collection and use of personal information) and implement proportionate cyber security measures to reflect the ever changing threat environment, advancement in technology and the type of information the organisation holds.
The increased focus on compliance with eligible data breach scheme also highlights the importance of ensuring
appropriate risk management and incident response plans are in developed, updated and implemented, and that responsible individuals or teams are familiar with the incident response processes and procedures so they can act quickly in the event of a suspected or actual data breach.
Please contact us if you would like to discuss any information covered in this alert in further detail.
[1] An entities ‘adjusted turnover’ will be calculated by the sum of the values of all the supplies that the body corporate, and any related body corporate, have made, or are likely to make, during the period, other than supplies made from any of those bodies corporate to any other of those bodies corporate, supplies that are input taxed, supplies that are not for consideration (and are not taxable supplies under section 72-5 of the A New Tax System (Goods andServices Tax) Act 1999), supplies that are not made in connection with an enterprise that the body corporate carries on, or supplies that are not connected with the indirect tax zone.