Privacy Act amendments have passed through Parliament, receiving Royal Assent today on 12 December 2022 in response to recent high-profile data breaches. The penalties for data breaches have become significantly higher, and go further even than GDPR penalties. Other changes include giving the Office of the Australian Information Commission (OAIC) extra enforcement powers, and extending the extra-territorial reach of legislation to cover foreign organisations that source Australian personal data from digital platforms that may not have a physical presence in Australia.
The Privacy Legislation Amendment (Enforcement and Other Measures Bill 2022) significantly increases the maximum penalty of body corporates for serious or repeated breaches of the Australian Privacy Principles:
Current PenaltyNew Penalty2.22 million AUDGreater of:
- 50 million AUD;
- 3 times value of benefits; or
- 30% of adjusted turnover in Australia during ‘breach turnover period’
While it is welcoming that the government has taken on a harder stance on preventing data privacy breaches, given the recent high profile breaches, the increase in the quantum of penalties goes significantly further than under the standards in the EEA and UK. Shown below, are the penalties under the European General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA):
GDPR (EU) - Art 83(5)DPA 2018 (UK)Greater:
- 20 million Euros; or
- 4% of total global turnover of the preceding fiscal year, whichever is higherGreater of:
- 17.5 million Pounds; or
- 4% of total global turnover of the preceding fiscal year, whichever is higher
In an Explanatory Memorandum of the Attorney General, Hon Mark Dreyfus, states that another major proposed amendment to the legislation is extending the reach of the Privacy Act to apply to foreign organisations, where they are ‘carrying on a business’ in Australia, even if they do not collect or hold Australian’s information directly from a source in Australia.
This has legal implications for foreign companies. For example, a European e-commerce company that operates in Australia which has obtained personal information (e.g. names and email addresses) of Australians from a third party that operates outside of Australia will be subject to the Australian Privacy Act.
The Office of Australian Information Commissioner (OAIC)’s powers are extended, to include the following:
Increase in the types of declarations that the Commissioner can make at the end of an investigation;
Examples include:
The Notifiable Data Breach (NDB) scheme is strengthened by further information gathering powers provided to the OAIC to obtain comprehensive information on data breach occurrence(s) to make a proper assessment and decisions.
Power to delegate decision making of privacy investigation to senior staff members;
Power to issue infringement notices to penalise for not providing information that is the subject of litigation:
Having passed through parliament swiftly, it is clear that Australia is taking a tougher stance on data privacy protection. Companies may need to revisit their data privacy policies and assess whether the risk is adequately managed, and be prepared for potential increases in compliance costs.
Our team understands the complexities and needs of tech-driven businesses, and are members of the Tech Council of Australia (TCA), the peak body for industry, and have been part of the latest discussions with the TCA to submit a paper to legislators examining key issues and questions in relation to the proposed bill.
Please feel free to reach out to the Biztech Lawyers team if you would like to discuss these developments in greater detail and how you can best prepare.
International law firm Biztech Lawyers elevates clients, providing vision and confidence to navigate global markets and seize opportunities.
Whether you’re looking for advice in a particular jurisdiction or exploring how we can help expand your business, discover more below.