In our most recent privacy update we discussed how the Australian government in response to recent high-profile data breaches, had introduced to parliament the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 to reform Australian federal privacy law, in particular the Privacy Act 1988, to significantly increase penalties for serious or repeated privacy breaches. Yesterday the Bill was passed by the Senate, following rapid progress through parliament where the Bill was supported by the Opposition, and scrutinised by the Senate’s Legal and Constitutional Affairs Legislation Committee. The Bill now awaits royal assent.
The Bill provides for corporations to be subject to a maximum penalty for a serious or repeated interference of privacy to an amount not exceeding the greater of:
- AU$50 million;
- three times the value of the benefit obtained; or
- if the court cannot determine the value of the benefit, 30 percent of the corporation’s adjusted turnover in the relevant period.
This is a huge increase in the maximum level of penalties, compared to the previous AU$2.22 million maximum penalty.
Australian Information Commissioner and Privacy Commissioner Angelene Falk has commented that “the updated penalties will bring Australian privacy law into closer alignment with competition and consumer remedies and international penalties under Europe’s General Data Protection Regulation”.
There will potentially be further changes to refine this new penalty regime in the near future. In its report on the Bill, the Senate’s Legal and Constitutional Affairs Legislation Committee confirmed that it supported the penalties entering legislation but recommended that the Attorney-General’s Department, as part of its separate ongoing review of the Privacy Act, define the terms ‘serious interference’ and ‘repeatedly’, which are key to interpretation of the triggers for the penalties under section 13G of the Privacy Act. That section provides for penalties where:
- “an entity does an act, or engages in a practice, that is a serious interference with the privacy of an individual”; or
- “an entity repeatedly does an act, or engages in a practice, that is an interference with the privacy of one or more individuals.”
The Legal and Constitutional Affairs Legislation Committee also recommended that the Attorney General consider in further detail if there is a more specific way to determine the requisite “benefit obtained” by a corporation for the purpose of the maximum penalty.
In addition to the changes to penalties, the Bill also provides the Office of the Australian Information Commissioner with increased powers to participate in, and resolve, data breaches. The extraterritoriality provisions of the Privacy Act have also been amended so corporations will be required to meet the obligations under the Privacy Act so long as they ‘carry on a business’ in Australia, notwithstanding that they may be domiciled overseas.
To avoid the potential for significant penalties, corporations would be wise to take stock and check they are meeting their legal obligations in respect of any personal information they collect or hold. While having a privacy policy has almost become universal, this alone is not sufficient. In our legal practice where we advise on privacy and management of digital assets, we are seeing commonly arising compliance issues in a number of areas including:
- using personal information for secondary purposes, unrelated to the disclosed purpose of the data collection, including selling data without consent;
- failure to provide proper attention to due diligence around data assets when investing in or purchasing businesses;
- start up companies that haven’t paid sufficient attention to data collection and management practices as they manage rapid growth;
- failure to use collection notices;
- companies often don’t have a security policy or a data breach response plan and the structure and process to keep these updated as the threat landscape changes;
- little attention is paid to data life cycle management, which makes it difficult to ensure destruction or de-identification of personal information when personal information is no longer needed, or to allow customers to exercise their rights to access or seek correction of their personal information; and
- inadequate due diligence and protection for data in contracts with third parties and offshore service providers.
Another area of focus for corporations should be to review or obtain cyber security insurance – without it a corporation will be self-insuring costs and penalties associated with inevitable data breaches.
If you have any questions about whether your corporation is compliant with Australian privacy law, or whether you need help assessing your preparedness for the new focus on privacy compliance, please get in touch with us.
