Tougher penalties for privacy breaches, new measures to ensure that social media companies protect users’ personal information and $25 million in additional funding for the national privacy regulator were announced earlier this week as the Federal Government foreshadowed a number of changes to privacy regulation.

The proposed tightening comes amid an outcry against social media platforms for failing to effectively monitor and remove extremist content published during and after the Christchurch massacre. While the Government has moved quickly to demonstrate action on the issue, the legislation will not be drafted for consultation until the second half of 2019, after the federal election.

In the meantime, we consider the proposal below.

What are the proposed changes?

The joint announcement by Attorney-General Christian Porter and Senator Mitch Fifield proposed key changes to the Privacy Act 1988 (Cth) (Act). These include:

  • an increase of the maximum penalty for serious or repeated breaches of the Act from $2.1 million to whichever is the greater of:

- $10 million; or

- three times the value of any benefit obtained through the misuse of the information; or

- 10 per cent of a company’s annual domestic turnover

  • additional powers for the Office of the Australian Information Commissioner (OAIC) to issue infringement notices, supported by new penalties of up to $63,000 for companies and $12,600 for individuals for failure to cooperate to resolve minor breaches of the Act
  • allowing the OAIC to ensure breaches are addressed by alternate means, such as through third-party reviews and/or the publication of notices about specific breaches
  • imposing a requirement on social media and online platforms to cease use or disclosure of an individual’s personal information upon request
  • the introduction of specific rules that protect the personal information of children and vulnerable groups.

The proposed changes to the regulation would be supported by a code of conduct for social media and online platforms, requiring increased transparency about any data sharing arrangements and more specific consent of users to the collection and use of their information. These changes are consistent with regulatory moves in Europe, following the commencement of the General Data Protection Regulation in 2018, and updates to the self-regulatory code on hate speech.

To help the OAIC administer and enforce this expanded online regime, it will receive a much-needed $25 million funding boost over three years.

What’s the timing?

Despite the speed of the announcement, the timing for implementation suggests that the Government will wait until it can incorporate the findings of the Digital Platforms Inquiry, due to deliver its final report in June 2019. The Government has suggested it then intends to consult on the draft legislation in the second half of the year, which will also follow the G20 Summit in Japan where Scott Morrison wants to make social media regulation an agenda item.

The implementation timeline is in stark contrast to that of the contentious encryption legislation, which was rushed through Parliament on the last parliamentary sitting day of 2018 in response to calls by security agencies for new powers to fight terrorism.