Australian Government Serious About Data Privacy: Substantial Increases in Fines and Enhanced Regulatory Powers
The Situation: Following a number of high-profile cyber incidents resulting in significant data breaches, the Australian Government has doubled down on its efforts to strengthen privacy laws and cybersecurity resilience, passing the most significant reforms to the Privacy Act 1988 (Cth) ("Privacy Act") since the introduction of the notifiable data breach scheme in 2017, as well as announcing that it will soon begin consulting on a revised Cybersecurity Strategy for 2023–2030.
The Result: The Privacy Legislation Amendment (Enforcement and Other Measures) Amendment Act 2022 (Cth) ("Amendment Act"), which became effective on 13 December 2022, will expand the extraterritorial application of the Privacy Act, increase the maximum civil penalty for a serious or repeated interference with the privacy of an individual and expand the investigation and enforcement powers of the Office of the Australian Information Commissioner ("OAIC").
Looking Ahead: The Amendment Act is expected to be the first tranche of comprehensive reforms to Australian privacy and cybersecurity laws that have been proposed by the Government. The Government is also consulting on additional reforms as part of its review of the Privacy Act, including enhanced risk management obligations in respect of the collection use and disclosure of personal information, the creation of tiers of civil penalty provisions, the creation of a direct right of action for an individual whose privacy has been interfered with and a statutory tort of invasion of privacy.
Key Changes Introduced by the Amendment Act
The Amendment Act introduces a number of key changes to the Privacy Act, Australian Information Commissioner Act 2010 (Cth) and Australian Communications and Media Authority Act 2005 (Cth) as described further below.
Extraterritorial Application. Currently under the Privacy Act, a private-sector organisation with an "Australian link" and with annual turnover of more than AU$3 million will be regulated as an "Australian Privacy Principle ("APP") entity". An "Australian link" will be established where an organisation: (i) carries on a business in Australia; and (ii) collects or holds personal information in Australia or an external Territory.
The Amendment Act will remove the second limb of the current definition of "Australian link", so that any organisation that carries on a business in Australia (and otherwise meets the definition of an APP entity) will be within the scope of the Privacy Act. The Attorney-General the Hon Mark Dreyfus KC MP explained that the purpose of this amendment is to "ensure Australia's privacy laws remain fit for purpose in a globalised world and to ensure the Privacy Act can be enforced against global technology companies who may process Australians' information on services offshore".
This amendment could have significant implications for global companies that have operations in Australia, who otherwise might not have been within the scope of the Privacy Act in its current form, because of the way in which they collect and hold personal information. The application of the broader jurisdiction is yet to be tested judicially or the subject of any guidance. Notwithstanding this, the reforms will require a global corporate group with operations in Australia to consider carefully potential implications, particularly where foreign entities have business operations in Australia but only deal with personal information of Australians received from a related entity outside of Australia (irrespective of where that information is collected). This risk will become more significant as other reforms to the Privacy Act are implemented.
Increased Civil Penalties. The Amendment Act will increase the maximum civil penalty that may be imposed for a serious or repeated interference with privacy under section 13G of the Privacy Act, which is consistent with reforms to the maximum penalties for contraventions of the Australian Consumer Law.
Whilst the previous maximum civil penalty that may be imposed was relatively modest ($2.1 million per contravention or course of conduct), the Amendment Act will increase the maximum civil penalty for body corporates to the greater of: (i) $50 million; (ii) three times the value of the benefit obtained from the contravening conduct; and (iii) if the court cannot determine the value of that benefit, 30% of the body corporate's adjusted turnover during the breach turnover period (minimum of 12 months). "Adjusted turnover" is defined to mean the sum of the values of all the supplies that the body corporate, and any related body corporate, have made, or are likely to make, in Australia during the relevant period (subject to specific exclusions).
Enforcement Powers. The Amendment Act will provide the OAIC with a statutory power to make declarations following the conclusion of a privacy investigation under section 52 of the Privacy Act. In particular, the OAIC may issue a declaration requiring an APP entity to: (i) prepare and publish, or otherwise communicate a statement, about the conduct; and/or (ii) in consultation with the OAIC, engage a suitably qualified independent adviser to review the practices of the APP entity that is the subject of the investigation, the steps taken to ensure the conduct is not repeated and any other relevant matter.
The Amendment Act will also provide the OAIC with a statutory power to issue infringement notices for failing to provide information as required by the Privacy Act. Currently, a failure to provide information under section 66 of the Privacy Act is a criminal offence. The reforms give the OAIC more regulatory tools to address noncompliance with section 66, allowing the OAIC to issue infringement notices for minor instances of noncompliance whilst continuing to allow the OAIC to pursue criminal proceedings for serious instances of noncompliance.
Information-Gathering Powers. The Amendment Act will give the OAIC new information-gathering powers in relation to eligible data breaches under the Privacy Act. Specifically, the OAIC may compel the production of documents: (i) in relation to an actual or suspected data breach; and/or (ii) for the purposes of assessing an APP entity's compliance with Part IIIC of the Privacy Act.
The Amendment Act will also give the OAIC enhanced powers to share information or documents with an enforcement body, alternative complaint body, or state, territory or foreign privacy authority for the purposes of the OAIC or the receiving body exercising their powers, or performing their functions or duties.
Three Key Takeaways
- The Amendment Act will enhance the OAIC's investigatory and enforcement powers, as well as potential penalties for serious or repeated interferences with the privacy of an individual. This reform signals a move toward more active enforcement activities by the OAIC and ultimately to greater legal risk for corporations in Australia that suffer cyber incidents.
- The privacy and cybersecurity legal and regulatory framework is changing rapidly in Australia. This Amendment Act is only the first tranche of more extensive reforms expected over the next 12 to 18 months.
- To minimise substantial legal risk, it is critical that organisations are properly equipped to: (i) identify the impact of legislative change on their organisation; (ii) comply with all of their legal obligations in relation to privacy and cybersecurity; (iii) effectively respond to privacy and cybersecurity incidents; and (iv) engage with the OAIC and other stakeholders appropriately.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.