Changes to the Australian Privacy Act – increased penalties for data breach

white caution cone on keyboard
Andrew Truswell

Privacy Act amendments have passed through Parliament, receiving Royal Assent today on 12 December 2022 in response to recent high-profile data breaches. The penalties for data breaches have become significantly higher, and go further even than GDPR penalties. Other changes include giving the Office of the Australian Information Commission (OAIC) extra enforcement powers, and extending the extra-territorial reach of legislation to cover foreign organisations that source Australian personal data from digital platforms that may not have a physical presence in Australia.

Increased Penalties

The Privacy Legislation Amendment (Enforcement and Other Measures Bill 2022) significantly increases the maximum penalty of body corporates for serious or repeated breaches of the Australian Privacy Principles:

Current PenaltyNew Penalty
2.22 million AUDGreater of:
– 50 million AUD;
– 3 times value of benefits; or
– 30% of adjusted turnover in Australia during ‘breach turnover period’

While it is welcoming that the government has  taken on a harder stance on preventing data privacy breaches, given the recent high profile breaches, the increase in the quantum of penalties goes significantly further than under the standards in the EEA and UK. Shown below, are the penalties under the European General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA):

GDPR  (EU) – Art 83(5)DPA 2018 (UK)
– 20 million Euros; or
– 4% of total global turnover of the preceding fiscal year, whichever is higher
Greater of:
– 17.5 million Pounds; or
– 4% of total global turnover of the preceding fiscal year, whichever is higher

Extraterritorial application

In an Explanatory Memorandum of the Attorney General, Hon Mark Dreyfus, states that another major proposed amendment to the legislation is extending the reach of the Privacy Act to apply to foreign organisations, where they are ‘carrying on a business’ in Australia, even if they do not collect or hold Australian’s information directly from a source in Australia.

This has legal implications for foreign companies. For example, a European e-commerce company that operates in Australia which has obtained personal information (e.g. names and email addresses) of Australians from a third party that operates outside of Australia will be subject to the Australian Privacy Act.

Other regulatory changes

The Office of Australian Information Commissioner (OAIC)’s  powers are extended, to include the following:

  • Increase in the types of declarations that the Commissioner can make at the end of an investigation;
    • Examples include:
      • declaration that the at-fault party must prepare/communicate a statement about the conduct causing data breach; and
      • declaration that the at-fault party must take specified steps to ensure data breach not repeated/continued.
  • Power to conduct assessments of actual or suspected data breaches:
    • The Notifiable Data Breach (NDB) scheme is strengthened by further information gathering powers provided to the OAIC to obtain comprehensive information on data breach occurrence(s) to make a proper assessment and decisions
  • Power to delegate decision making of privacy investigation to senior staff members;
  • Power to issue infringement notices to penalise for not providing information that is the subject of litigation:
    • This is in conjunction with separating the criminal penalty so that the process can be streamlined and handled by the Commissioner without the need to engage criminal prosecutors for fining the entity in cases of civil litigation);
  • Increased information sharing powers with other enforcement entities; and
  • Power to publish information subject to satisfying a public interest test.

Having passed through parliament swiftly, it is clear that Australia is taking a tougher stance on data privacy protection. Companies may need to revisit their data privacy policies and assess whether the risk is adequately managed, and be prepared for potential increases in compliance costs.

Are you concerned about the changes? Talk to Us!

Our team understands the complexities and needs of tech-driven businesses, and are members of the Tech Council of Australia (TCA), the peak body for industry, and have been part of the latest discussions with the TCA to submit a paper to legislators examining key issues and questions in relation to the proposed bill.

Please feel free to reach out to the Biztech Lawyers team if you would like to discuss these developments in greater detail and how you can best prepare.

Book a Free
Legal Strategy Session

Share on LinkedIn
Share on Facebook
Andrew Truswell
Andrew Truswell
Andrew has focussed his practice on the intersection between aviation and technology with a specific focus on Data (Privacy and Cyber), Information Technology (Cloud, SaaS, Infrastructure, Outsourcing and IP), and Insurance (Aviation, PI & Cyber). Andrew has advised airlines like JetAsia and Qantas Airways, and market leading travel sector technology provider, Amadeus. During this period, Andrew was exposed to passenger system (PSS) and Distribution (GDS and NDC) transactions with many leading airlines, including managing data protection and cyber risks.
While Biztech Lawyers has used reasonable care and skill in compiling the content of this article. we make no warranty as to its accuracy or completeness. This article is only intended to provide a general guide to the subject matter and not intended to be specific to the reader’s circumstances. This article is not intended to be comprehensive, and it does not constitute and must not be relied on as legal advice and does not create a client-solicitor relationship between any user or reader and Biztech Lawyers. We accept no responsibility for any loss which may arise from reliance on the information contained in the article. You should undertake your own research and to seek professional advice before making any decisions or relying on the information provided.

Subscribe to our newsletter

Subscribe to our newsletter

* indicates required

We use Mailchimp as our marketing platform. By clicking below to subscribe, you acknowledge that your information will be transferred to Mailchimp for processing. Learn more about Mailchimp's privacy practices.