In the wake of the recent Optus and Medibank data breaches, the Government has confirmed its commitment to privacy and data security reform by proposing tougher penalties for serious or repeated privacy breaches.
On 26 October 2022, the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Cth) was tabled in Parliament by Australia’s Attorney-General, Mark Dreyfus.
It is clear that the Bill will be fast-tracked by the government. Once passed, the Bill will amend the Privacy Act 1988 (Cth) (Privacy Act), which is also expected to be subject to further reform in the near future. In this insight, we unpack the key changes proposed in the Bill, and outline the steps that organisations bound by the Privacy Act need to be taking now to prepare for the changes.
The Bill proposes changes in five key areas that are a must understand for entities covered by the Privacy Act, including foreign organisations doing business in Australia:
1. Significantly increased penalties for serious or repeated privacy breaches
2. A strengthened notifiable data breach regime
3. New enforcement powers for the OAIC
4. Expanded extra-territorial application of the Privacy Act
5. New information sharing for the OAIC and other regulators
The Bill will increase penalties under the Privacy Act for serious or repeated breaches of privacy to a level significantly higher than previously proposed or anticipated.
As we explored in a previous article, in October 2021 the previous Morrison Government had released an exposure draft of legislation known as the Online Privacy Bill, which proposed increasing the maximum penalty for regulated entities engaging in a serious or repeated interference with privacy from AUD $2.22 million to the greater of:
In an apparent reaction to the recent Optus and Medibank data breaches in Australia, the Bill will result in a maximum penalty for a regulated entity for serious or repeated privacy breaches – which are not limited to data breaches but will apply to any serious or repeated failure to comply with the Australian Privacy Principles (APPs) – to the greater of:
For global context, these proposed new penalties are higher than the maximum penalties that currently apply under the European Union General Data Protection Regulation (GDPR).
The current notifiable data breaches regime under Part IIIC of the Privacy Act will be strengthened under the Bill with enhanced powers for Australia’s privacy regulator, the Office of the Australian Information Commissioner (OAIC), to seek information from and conduct assessments of regulated entities and their compliance with the regime.
The Privacy Act’s notifiable data breaches regime requires that any regulated entity must notify affected individuals, and the OAIC, when an ‘eligible data breach’ occurs – this is a data breach involving loss, or unauthorised access to or disclosure, of personal information, that is likely to result in serious harm to one or more affected individuals. The regime necessarily involves the regulated entity making its own assessment of a particular data breach, and whether it is an ‘eligible data breach’ requiring notification, rather than the OAIC having any input into such an assessment.
Currently, the OAIC’s powers under the Privacy Act to obtain information about an ‘eligible data breach’ from a regulated entity are limited to the information the entity discloses in its notification to the OAIC and statement to affected individuals. If the OAIC wanted to obtain more detailed information, it would need to commence a formal investigation of the entity and the data breach, and exercise its information request powers in the course of that investigation process.
Perhaps reflecting the time-sensitive nature of data breaches, the Bill does not require the OAIC to provide a regulated entity with a reasonable period within which to produce requested information, and the OAIC will also be entitled to retain possession of records provided for any period of time that is necessary to assess an entity’s compliance with the notifiable data breaches regime.
To support these additional powers, the Bill proposes new powers for the OAIC to issue infringement notices, without initiating court proceedings, if a regulated entity fails to comply with an OAIC request to provide information and records when required. Rather, civil penalties will apply.
Key new enforcement powers for the OAIC under the Bill include:
The "Australian link" test for foreign organisations doing business in Australia will also be amended by the Bill, such that foreign organisations are more likely to be subject to the Privacy Act, including the APPs and the notifiable data breaches regime.
The amendments remove the “second limb” requirement that the foreign organisation also collects or holds personal information in Australia in order to have an Australian link. Currently, a foreign organisation is caught by the Privacy Act if it carries on business in Australia AND collects or holds information from a source inside Australia.
The change is said to reflect that in the digital era, organisations can use technology in a way that means they don't collect or store information directly from Australia, but are still otherwise carrying on business here. It also squarely addresses what was a key issue in the OAIC’s proceedings against Facebook (Meta) in relation to the Cambridge Analytica breach.
The amended position also reflects similar extra-territorial application provisions in the Australian Consumer Law under the Competition and Consumer Act 2010 (Cth).
The Bill gives the OAIC the capacity to share information, including personal information, with other regulators, including State, Territory and foreign privacy regulators, enforcement bodies and alternative complaint bodies (such as Australia’s eSafety Commissioner), for the purpose of exercising – or enabling the receiving regulator to exercise – its powers, functions or duties.
Specifically, the Bill also gives the OAIC and the Australian Communications and Media Authority (ACMA) expanded information-sharing powers. The Explanatory Memorandum to the Bill notes that this is intended to facilitate greater and more effective co-operation between the OAIC and the ACMA, to enable to OAIC to keep Australians better informed about privacy issues.
If you are an entity bound by the Privacy Act, you should take steps to ensure that your privacy practices and procedures are up to date, and appropriately reflect the risk that privacy compliance – and non-compliance – now presents to your organisation in light of significantly increased penalties and additional enforcement options for the OAIC that will apply once the Bill is passed.
If you are a foreign organisation doing business in Australia – even simply through offering products and services to customers in Australia, through a website accessible in Australia – seek expert advice from local counsel in Australia to determine whether you have an ‘Australian link’ and are therefore bound by the Privacy Act, the APPs and the notifiable data breaches regime.
If you would like to discuss the issues raised in this article, or how JWS can assist your organisation, please get in touch with Helen Clarke.
 Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021
 Under the GDPR, European regulators can fine businesses €20 million (approx. AUD $29.8 million) or 4% per cent of their global annual turnover, whichever is greater.
Be the first to receive the latest articles, news and publications.
An increase in enforcement action by the Regulator under the Payment Times Reporting Act 2020 (Cth) (PTR Act) has been happening over the last 12 months. Companies covered as reporting entities...
Johnson Winter Slattery has advised early childcare management software provider Kangarootime on the sale of its Australian business to fellow industry participants Juice Technologies and Kidsoft...
Multinational groups who use intangible assets as part of their operations should be aware of two new guidance documents published by the ATO.