In the wake of the recent Optus and Medibank data breaches, the Government has confirmed its commitment to privacy and data security reform by proposing tougher penalties for serious or repeated privacy breaches.

On 26 October 2022, the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Cth) was tabled in Parliament by Australia’s Attorney-General, Mark Dreyfus.

It is clear that the Bill will be fast-tracked by the government. Once passed, the Bill will amend the Privacy Act 1988 (Cth) (Privacy Act), which is also expected to be subject to further reform in the near future. In this insight, we unpack the key changes proposed in the Bill, and outline the steps that organisations bound by the Privacy Act need to be taking now to prepare for the changes.

Key changes proposed by the Bill

The Bill proposes changes in five key areas that are a must understand for entities covered by the Privacy Act, including foreign organisations doing business in Australia:

1. Significantly increased penalties for serious or repeated privacy breaches

2. A strengthened notifiable data breach regime

3. New enforcement powers for the OAIC

4. Expanded extra-territorial application of the Privacy Act

5. New information sharing for the OAIC and other regulators

1. Significantly increased penalties for serious or repeated privacy breaches

The Bill will increase penalties under the Privacy Act for serious or repeated breaches of privacy to a level significantly higher than previously proposed or anticipated.

As we explored in a previous article, in October 2021 the previous Morrison Government had released an exposure draft of legislation known as the Online Privacy Bill[1], which proposed increasing the maximum penalty for regulated entities engaging in a serious or repeated interference with privacy from AUD $2.22 million to the greater of:

  • AUD $10 million;
  • three times the benefit obtained by the entity from the misconduct; or
  • 10% of the entity’s turnover in the 12-month period leading up to the misconduct.

In an apparent reaction to the recent Optus and Medibank data breaches in Australia, the Bill will result in a maximum penalty for a regulated entity for serious or repeated privacy breaches – which are not limited to data breaches but will apply to any serious or repeated failure to comply with the Australian Privacy Principles (APPs) – to the greater of:

  • AUD $50 million;
  • three times the value of the benefit obtained by the entity from the privacy breach, whether directly or indirectly, if that can be determined by a court; or
  • 30% of the entity’s adjusted turnover (meaning the sum of all supplies that the entity and its related bodies corporate make) during the past 12 months or the relevant breach period, whichever is longer.

For global context, these proposed new penalties are higher than the maximum penalties that currently apply under the European Union General Data Protection Regulation (GDPR)[2].

2. A strengthened notifiable data breach regime

The current notifiable data breaches regime under Part IIIC of the Privacy Act will be strengthened under the Bill with enhanced powers for Australia’s privacy regulator, the Office of the Australian Information Commissioner (OAIC), to seek information from and conduct assessments of regulated entities and their compliance with the regime.

The Privacy Act’s notifiable data breaches regime requires that any regulated entity must notify affected individuals, and the OAIC, when an ‘eligible data breach’ occurs – this is a data breach involving loss, or unauthorised access to or disclosure, of personal information, that is likely to result in serious harm to one or more affected individuals. The regime necessarily involves the regulated entity making its own assessment of a particular data breach, and whether it is an ‘eligible data breach’ requiring notification, rather than the OAIC having any input into such an assessment.

Currently, the OAIC’s powers under the Privacy Act to obtain information about an ‘eligible data breach’ from a regulated entity are limited to the information the entity discloses in its notification to the OAIC and statement to affected individuals. If the OAIC wanted to obtain more detailed information, it would need to commence a formal investigation of the entity and the data breach, and exercise its information request powers in the course of that investigation process.

Perhaps reflecting the time-sensitive nature of data breaches, the Bill does not require the OAIC to provide a regulated entity with a reasonable period within which to produce requested information, and the OAIC will also be entitled to retain possession of records provided for any period of time that is necessary to assess an entity’s compliance with the notifiable data breaches regime.

To support these additional powers, the Bill proposes new powers for the OAIC to issue infringement notices, without initiating court proceedings, if a regulated entity fails to comply with an OAIC request to provide information and records when required. Rather, civil penalties will apply.

3. New enforcement powers for the OAIC

Key new enforcement powers for the OAIC under the Bill include:

  • in a determination following an OAIC investigation of a privacy complaint against a regulated entity, the ability to order the entity to engage an independent adviser to undertake an external review of the conduct that was the subject of the complaint and the entity’s proposed remediation of the complaint, and to consult with and share the outcomes of the review with the OAIC; and
  • also in a determination following an OAIC investigation of a complaint, and subject to a public interest test, the ability to require the regulated entity to prepare a public statement about the conduct that was the subject of the complaint and either issue the statement publicly or provide it to the affected individuals.

4. Expanded extra-territorial application of the Privacy Act

The "Australian link" test for foreign organisations doing business in Australia will also be amended by the Bill, such that foreign organisations are more likely to be subject to the Privacy Act, including the APPs and the notifiable data breaches regime.

The amendments remove the “second limb” requirement that the foreign organisation also collects or holds personal information in Australia in order to have an Australian link. Currently, a foreign organisation is caught by the Privacy Act if it carries on business in Australia AND collects or holds information from a source inside Australia.

The change is said to reflect that in the digital era, organisations can use technology in a way that means they don't collect or store information directly from Australia, but are still otherwise carrying on business here. It also squarely addresses what was a key issue in the OAIC’s proceedings against Facebook (Meta) in relation to the Cambridge Analytica breach.

The amended position also reflects similar extra-territorial application provisions in the Australian Consumer Law under the Competition and Consumer Act 2010 (Cth).

5. New information sharing for the OAIC and other regulators

The Bill gives the OAIC the capacity to share information, including personal information, with other regulators, including State, Territory and foreign privacy regulators, enforcement bodies and alternative complaint bodies (such as Australia’s eSafety Commissioner), for the purpose of exercising – or enabling the receiving regulator to exercise – its powers, functions or duties.

Specifically, the Bill also gives the OAIC and the Australian Communications and Media Authority (ACMA) expanded information-sharing powers. The Explanatory Memorandum to the Bill notes that this is intended to facilitate greater and more effective co-operation between the OAIC and the ACMA, to enable to OAIC to keep Australians better informed about privacy issues.

Key takeaways – what do businesses need to do now?

If you are an entity bound by the Privacy Act, you should take steps to ensure that your privacy practices and procedures are up to date, and appropriately reflect the risk that privacy compliance – and non-compliance – now presents to your organisation in light of significantly increased penalties and additional enforcement options for the OAIC that will apply once the Bill is passed.

This includes:

  • conducting a privacy and data audit to understand when, where and how personal information is collected, stored, used and disclosed across the organisation, and to identify where compliance risks exist and confirm what steps are required to mitigate those risks;
  • reviewing and updating your data breach response plan – including to ensure it addresses how to respond to OAIC requests for information in light of the OAIC’s enhanced powers – and regularly testing its effectiveness and training your people on its implementation;
  • reviewing third party risks and contracts, particularly contracts for services and outsourcing arrangements that involve third parties storing and/or processing personal information on the organisation’s behalf, to determine whether privacy compliance and information security is appropriately dealt with; and
  • considering your cyber risk position with your insurers, to ensure you have appropriate cyber risk insurance cover.

If you are a foreign organisation doing business in Australia – even simply through offering products and services to customers in Australia, through a website accessible in Australia – seek expert advice from local counsel in Australia to determine whether you have an ‘Australian link’ and are therefore bound by the Privacy Act, the APPs and the notifiable data breaches regime.