$50m Penalties, More Regulatory Powers and Expanded Global Reach – Part One of Australia’s Privacy Act Reforms

On Wednesday 26 October 2022, Australia’s Attorney-General Mark Dreyfus introduced the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Cth) (Bill) into Federal Parliament.

The Bill includes amendments to the Privacy Act 1988 (Cth) (Privacy Act), including:

1. Maximum penalties of $50 million and more for serious or repeated interferences with privacy;
2. Enhanced powers (including new information gathering and sharing powers) for the Office of the Australian Information Commissioner (OAIC); and
3. Broader extra-territorial application of the Privacy Act.

Many of the proposed amendments to the Privacy Act were foreshadowed by the previous Government’s release of the Exposure Draft to the Online Privacy Bill last year (see our briefing  here). However, the increase to the penalties is especially significant, with the previous proposal at $10 million rather than $50 million.

The introduction of the Bill this week was undoubtedly accelerated by recent high-profile data breaches in Australia. Whether a data breach occurs as the result of a malicious actor, internal error or the failings of a third-party service provider, the Government had clearly signalled its increased focus on enforcing privacy compliance with stronger financial consequences for failures to do so.

What steps should organisations take?

The Bill, and other adjacent legislative and regulatory developments (including recent reforms to the Security of Critical Infrastructure Act),¹ have elevated privacy, data protection and information security as critical considerations that all companies must proactively manage. Given the very real regulatory, reputational and business interruption consequences that cyber-attacks or data and privacy breaches cause, it is unsurprising that cyber security and cyber resilience are rated as a top risk by Boards today.

In this context, entities must ensure they have appropriate privacy and data security practices and procedures in place, commensurate to the increased level of technological, regulatory, legal and financial risk.

These include:

• Systematically considering and testing whether data collection, use, disclosure, retention and other practices involving privacy risk are necessary and proportionate to the business need or use case.
• Implementing and regularly testing incident response and business continuity plans with a long-term view to manage any regulatory involvement and flow-on enforcement or class action litigation.
• Ensuring the organisation’s level of insurance cover is commensurate with the new and elevated cyber risk environment.

The Bill explained

Strengthened penalties

One of the most substantial changes proposed by the Bill is the increase to the maximum civil penalty for serious and repeated interferences with privacy under section 13G of the Privacy Act. 

Presently, the maximum penalty for a company is $2.22 million. The Bill seeks to increase this to an amount not more than the greater of:

• $50 million; or
• three times the benefit obtained by the company and any related body corporate from the breach; or
• if a court cannot determine the amount of the benefit, then 30% of the ‘adjusted turnover’² of the company’s Australian group during the ‘breach turnover period’, which will be 12 months or longer if the breach period was longer.

The Explanatory Memorandum to the Bill (EM) stated that the existing penalties fell short of community expectations, particularly given the potential financial and emotional harm that serious or repeated breaches can have.

The changes align with proposed increases to maximum penalties for contraventions of the Australian Consumer Law, introduced with the Treasury Laws Amendment (More Competition, Better Prices) Bill 2022 (Cth).  

Penalties can only be imposed following ‘serious’ or ‘repeated’ interference with privacy and require the OAIC to commence civil penalty proceedings in the Federal Court or Federal Circuit and Family Court of Australia. The OAIC has only commenced civil penalty proceedings once. Given the resource and cost implications involved with litigation, we consider it likely that the OAIC will focus its attention on the most egregious failings, however further amendments to the Privacy Act may introduce a more efficient infringement notice for lower-level breaches.

Stronger investigatory and enforcement powers for the OAIC

The Bill also provides the OAIC with more flexibility in how it can investigate potential interferences with privacy (including at the time a notifiable data breach report is made) and authorises information that it gathers can be shared with other regulators or disclosed to the public as it considers appropriate. The Bill introduced powers already contemplated in the Exposure Draft to the Online Privacy Bill last year as well as other new or reinforced powers in the context of data breaches.

New powers to obtain information or documents relating to eligible data breaches

Additional information gathering powers will be introduced under a new s 26WU of the Privacy Act enabling the OAIC to issue a notice requesting information, document(s), or requiring a person to answer questions, about an actual or suspected eligible data breach under the Notifiable Data Breaches (NDB) scheme. This will be subject to the criminal penalties for failure to comply, as discussed below.

This change aims to give the OAIC greater insight into an entity’s practices and the information compromised in an actual or suspected eligible data breach, to understand the parameters of a breach or an emerging issue, and evaluate the particular risk of harm to individuals. The Commissioner had called - in the consultation on broader reforms to the Privacy Act - for greater transparency about actions entities are taking in response to data breaches to inform its regulatory response.

Expended information gathering powers when assessing compliance with the Privacy Act

The OAIC will also have new powers to require, by written notice, that entities produce any information relevant as part of its assessment powers generally. In deciding to exercise these powers, the OAIC will need to be satisfied it is reasonable in the circumstances, having regard to the public interest, the notice recipient, and any other relevant matters.

New powers to share information with other regulatory bodies

The OAIC will be authorised to share information acquired in the course of the exercise of its powers and functions with other enforcement agencies, alternative complaint bodies, and State, Territory or foreign privacy regulators under new s 33A of the Privacy Act. Yes.

This aims to facilitate regulatory cooperation and collaboration, as already demonstrated through other initiatives such as joint investigations conducted with other regulators as well as the Digital Platforms Regulators Forum.

The OAIC will only be allowed to do so where it is satisfied on reasonable grounds that the receiving body has ‘satisfactory arrangements in place for protecting the information’, and the receiving body may then only use the information for the purposes for which it was shared.

The OAIC’s expanded information gathering and sharing powers are generally in line with those of other regulators (such as the ACCC, ASIC, APRA).

New public interest disclosure powers

The Bill would allow the OAIC to disclose information acquired in the course of the exercise of its powers and functions, if it is satisfied that disclosure is the public interest. This provision was not proposed as part of the Exposure Draft last year, and is a likely consequence of the high public interest and concern arising from recent data breaches.

The stated aim of introducing those broad powers is to ensure Australians are informed about instances where their privacy may have been compromised, and are able to take measures to protect their personal information.

In making a public interest disclosure, the OAIC must consider a range of matters including:

• the rights and interests of any complainant or respondent;
• whether the disclosure will, or is likely to, prejudice any investigation underway;
• whether the disclosure would be likely to prejudice activities conducted by enforcement agencies; and
• whether the disclosure will, or is likely to, disclose the personal information of any person or confidential commercial information.

The OAIC may also have regard to any other matter it considers relevant when determining if a disclosure is in the public interest. For example, the EM states that the OAIC may have regard to any consultation with affected entities, and any actions affected entities have taken (such as where the entity has already notified individuals).

Criminal penalties for failure to comply with requests to provide information

The Commissioner will have new powers to issue an infringement notice where a party fails to provide information when requested without reasonable excuse under amended s 66 of the Privacy Act, although in practice, powers such as these do not commonly need to be exercised to enforce compliance.

Powers to publish a statement about the misconduct at the conclusion of an investigation

The OAIC will now also be empowered to require a party to engage an independent adviser (when requiring that party to undertake steps to ensure contravening conduct is not repeated) and publish a statement about the conduct that led to the breach.

This is aimed at providing greater transparency and visibility as to an entity’s remediation activities and conduct following a breach. This is likely to exacerbate the reputational implications for companies and increase tail risk, including from class actions.

New powers to conduct assessments for compliance with the NDB scheme

The proposed amendments will permit the OAIC to assess an entity’s compliance with the NDB scheme under amended s 33C of the Privacy Act, as an extension of its powers to conduct assessments relating to an entity’s compliance with the APPs. This will allow the OAIC to assess the extent to which there are processes and procedures to assess suspected eligible data breaches and provide notice to at-risk individuals, to ensure compliance with reporting and notification obligations under the NDB scheme.

Extra-territorial effect

The Bill will make it easier for the Privacy Act to apply to overseas companies, with the only additional requirement being that they carry on business in Australia. At present, for the Privacy Act to apply to overseas company, they must also collect or hold personal information in Australia.

The EM states the aim is to clarify that the Privacy Act will apply even where a foreign organisation does not collect Australians’ information directly from a source in Australia. For example, this would capture organisations that collect information from a digital platform that does not have servers in Australia.

Recent interpretations of the current extra-territorial provisions under the Act by the OAIC and the Federal Court had already resulted in foreign companies being the subject of adverse findings under the Privacy Act despite not holding information in Australia. However, in one case the Full Federal Court rejected the OAIC’s arguments that the use of caching servers and the collection of data through instantaneous transfers constituted the collection of personal information in the relevant sense. The removal of the requirement that personal information be collected or held in Australia, will mean such arguments will no longer be necessary.

We note a (presumably unintentional) consequence of the proposed drafting changes appears to be that foreign companies carrying on business in Australia would be subject to the Act even in respect of their activities that do not relate to their business in Australia, or to Australian individuals. We note that the EU’s General Data Protection Regulation includes extra-territoriality tests based on individuals in the EU, and the California Consumer Privacy Act includes a test based on Californian residents.

What’s next?

The Bill is the first legislative step in the Government’s highly anticipated privacy reform agenda, with the Attorney-General confirming a further suite of recommended privacy reforms will be revealed at the end of the year.

This flows from his Department’s review of the Privacy Act which commenced in 2019.

Contemplated changes include strengthened notification and consent requirements, an expanded scope of the definition of personal information, restrictions to practices involving greater privacy risk such as targeted advertising at a large scale or the use of biometric or genetic data (eg facial recognition software), more rights for individuals (eg to have their data erased), and the removal of certain exemptions under the Privacy Act.

Organisations should continue to engage with the reforms and prepare for compliance with enhanced privacy and information security requirements.

1. See our briefing Demystifying Australia's recent Security of Critical Infrastructure Act reforms | Herbert Smith Freehills | Global law firm
2. The Bill defines adjusted turnover as the sum of the value of all the supplies the company, and any related body corporate, have made, or are likely to make, in connection with Australia’s indirect tax zone (with certain exceptions).