Attorney-General The Hon Christian Porter MP has announced the government’s intention to introduce a raft of tougher penalties under the Privacy Act 1988 (Cth) (Privacy Act). While coverage of the new penalties has focussed on the potential fines for tech giants such as Google and Facebook, the changes, if enacted, could have a significant financial impact for all organisations operating in (or connected to) Australia.
What are the proposed changes?
The amendments to the Privacy Act include the following:
increased penalties for all entities covered by the Act, which includes social media and online platforms operating in Australia:
provide the Office of the Australian Information Commissioner (OAIC) with new infringement notice powers backed by new penalties of:
expand other options available to the OAIC to ensure breaches are addressed through third-party reviews, and/or publish prominent notices about specific breaches and ensure those directly affected are advised;
require social media and online platforms to stop using or disclosing an individual's personal information upon request; and
introduce specific rules to protect the personal information of children and other vulnerable groups.
these changes are being backed by an AUD 25 million increase to the OAIC’s funding over the next 3 years.
The Attorney-General has announced the increased penalties saying that the current regime under the Privacy Act “fall[s] short of community expectations”. Social media and online platforms have also been singled out by the Attorney-General because of the increased reach of these organisations which trade in personal information over the past decade.
These proposed amendments to the Privacy Act pre-empt the current Digital Platforms inquiry by the Australian Competition and Consumer Commission which is due to issue its final report in June 2019. The Attorney-General has said that the draft legislation will incorporate any relevant findings from this inquiry. The legislation will be drafted for consultation in the second half of 2019; however its progress depends on the outcome of the Federal Election which is to be held sometime in May 2019.
The full announcement can be accessed here.
What does this mean for you?
If passed, we anticipate these changes will impact the privacy compliance landscape. In particular, the potential for increased financial penalties, and a new willingness of the OAIC to publicise breaches where it sees fit, creates an additional risk to an entity's reputation and its bottom line, should an incident occur. This added risk may drive entities to treat privacy risk as a significant whole of business issue. It is important to remember that these changes, if introduced, will not just apply to data rich social media companies, but also to any organisation or government agency subject to the Privacy Act, including those operating within and also potentially outside of Australia.
That said, it remains to be seen whether the OAIC will exercise any new powers (if granted) to issue penalties to individuals and organisations that fail to cooperate to resolve 'minor breaches', given that the existing penalty regime (maximum AUD 2.1 million for organisations) has not yet been enforced in relation to Eligible Data Breaches. We continue to monitor with great interest whether the OAIC will modify its current approach of working with entities in a conciliatory way to achieve privacy compliance, to taking a harder stance against entities. Despite a pledge for an additional AUD 25 million funding over three years, we also monitor whether the penalty regime could effectively be used as a mechanism to self-fund the OAIC's activities.
Despite this, we consider that all entities should assess their privacy obligations with renewed vigour in advance of any potential enhancements to the Privacy Act. Entities should ensure that at bare minimum they have taken steps to assess whether they have in place adequate systems and processes to achieve privacy compliance, and be able to evidence that in any later incident. This includes improving information handling practices, implementing processes to address individual privacy complaints, and being prepared to expeditiously assess and respond to larger data breach incidents. Entities should also consider whether cyber insurance is an appropriate risk mitigation strategy to assist with the costs and potential liabilities arising out of incidents.