Privacy Act amendments have passed through Parliament, receiving Royal Assent today on 12 December 2022 in response to recent high-profile data breaches. The penalties for data breaches have become significantly higher, and go further even than GDPR penalties. Other changes include giving the Office of the Australian Information Commission (OAIC) extra enforcement powers, and extending the extra-territorial reach of legislation to cover foreign organisations that source Australian personal data from digital platforms that may not have a physical presence in Australia.

Increased Penalties

The Privacy Legislation Amendment (Enforcement and Other Measures Bill 2022) significantly increases the maximum penalty of body corporates for serious or repeated breaches of the Australian Privacy Principles:

While it is welcoming that the government has  taken on a harder stance on preventing data privacy breaches, given the recent high profile breaches, the increase in the quantum of penalties goes significantly further than under the standards in the EEA and UK. Shown below, are the penalties under the European General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA):

Extraterritorial application

In an Explanatory Memorandum of the Attorney General, Hon Mark Dreyfus, states that another major proposed amendment to the legislation is extending the reach of the Privacy Act to apply to foreign organisations, where they are ‘carrying on a business’ in Australia, even if they do not collect or hold Australian’s information directly from a source in Australia.

This has legal implications for foreign companies. For example, a European e-commerce company that operates in Australia which has obtained personal information (e.g. names and email addresses) of Australians from a third party that operates outside of Australia will be subject to the Australian Privacy Act.

Other regulatory changes

The Office of Australian Information Commissioner (OAIC)’s  powers are extended, to include the following:

• Increase in the types of declarations that the Commissioner can make at the end of an investigation;
  • Examples include:
    • declaration that the at-fault party must prepare/communicate a statement about the conduct causing data breach; and
    • declaration that the at-fault party must take specified steps to ensure data breach not repeated/continued.
• Power to conduct assessments of actual or suspected data breaches:
  • The Notifiable Data Breach (NDB) scheme is strengthened by further information gathering powers provided to the OAIC to obtain comprehensive information on data breach occurrence(s) to make a proper assessment and decisions
• Power to delegate decision making of privacy investigation to senior staff members;
• Power to issue infringement notices to penalise for not providing information that is the subject of litigation:
  • This is in conjunction with separating the criminal penalty so that the process can be streamlined and handled by the Commissioner without the need to engage criminal prosecutors for fining the entity in cases of civil litigation);
• Increased information sharing powers with other enforcement entities; and
• Power to publish information subject to satisfying a public interest test.

Having passed through parliament swiftly, it is clear that Australia is taking a tougher stance on data privacy protection. Companies may need to revisit their data privacy policies and assess whether the risk is adequately managed, and be prepared for potential increases in compliance costs.

Are you concerned about the changes? Talk to Us!

Our team understands the complexities and needs of tech-driven businesses, and are members of the Tech Council of Australia (TCA), the peak body for industry, and have been part of the latest discussions with the TCA to submit a paper to legislators examining key issues and questions in relation to the proposed bill.

Please feel free to reach out to the Biztech Lawyers team if you would like to discuss these developments in greater detail and how you can best prepare.