Australias massive new privacy penalties become law but will be clarified
02 December 2022
02 December 2022
This is an update to our earlier publication: Big penalties and a more powerful Australian privacy regulator.
In response to recent high-profile cybercrime incidents, the Australian Parliament has passed key privacy reforms under the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Cth):
The reforms are a clear message from the Australian Government that penalties for privacy breaches are not "simply the cost of doing business". The new penalties are intended to create incentives for strong data security safeguards.
The reforms have been rushed through in response to recent cyber incidents, and will be reconsidered as part of a broader review of the Privacy Act. The penalty regime won't fundamentally change, but there's ample room for clarification on when it will apply.
The Senate has called on the Government to:
The Senate Legal and Constitutional Affairs Committee also highlighted for particular consideration:
These issues and more will be considered as part of the Government's broader review of the Privacy Act. The final report of the Attorney-General's Department is expected to be given to the Government by the end of the year, and the Attorney-General intends to progress reforms during the term of this Parliament.
The penalty for a serious or repeated breach of privacy has been increased to the greater of:
The "breach turnover period" is 12 months or the duration of the contravention, whichever is longer. For longer term systemic breaches by larger organisations, this framework could lead to maximum penalties significantly higher than the A$50 million figure.
While the increased penalty does not apply retrospectively to past acts or practices, it will apply to contraventions which are by their nature repeated or continuing. To minimise risk, now is the time to audit and rectify privacy practices.
The new penalty regime significantly exceeds both the current maximum of A$2.2 million and the penalty consulted on by the previous Government (the greater of A$10 million or three times the value of the benefit, or if the value cannot be determined 10% of domestic annual turnover).
The A$50 million figure is significantly higher than the potential penalty of €20 million under the European Union General Data Protection Regulation (GDPR). While 30% of domestic turnover under Australian law appears significantly higher than the possible GDPR penalty of 4% of global revenue, the impact on companies doing more of their global business in Australia will be greater because the Australian penalty does not take into account global revenue.
The new privacy penalty reflects recent changes to competition and consumer law penalties, and imports the notion of receiving a "benefit" from that context.
The Senate Legal and Constitutional Affairs Committee expressed concerns that calculating the penalty by reference to the "benefit" obtained, for example from a data breach, has the potential to lead to "perverse outcomes".
The 30% of turnover limb of the penalty only applies where the value of benefit obtained through the misuse of the information cannot be determined.
Where a corporation receives no benefit from an interference with privacy (eg where it suffers significant harm from a cyber attack) then the 30% of turnover limb might not apply. The benefit might be determinable by the court, but determined to be zero. The maximum penalty would therefore be the greater of A$50m and zero, disregarding a company's turnover entirely.
As part of the broader privacy review we will likely see calls to clarify that where a company does not benefit from a misuse of information, a company's turnover will be taken into account. If that approach is adopted, larger corporations would potentially see much higher maximum penalties.
In the context of significantly higher penalties, various submissions and the Senate Legal and Constitutional Affairs Committee raised concerns that the terms "serious" and "repeated" are not defined in the legislation. The Government has accepted the committee recommendation to examine, as part of the broader privacy review, whether to define the terms "serious" and "repeated".
The concept of a serious or repeated interference with privacy is part of Australia's existing privacy laws. The OAIC "Guide to privacy regulatory action" sets out the factors to be taken into account in interpreting the legislation, as well as the circumstances in which the OAIC is more likely to take action. Although this guidance is not set out in the legislation, it provides an interpretive framework and is likely to be taken into account when applying the regime.
Including definitions in the legislation will create a more stable and predictable regime, more easily understood from the text of the Act. However, this may come at the cost of reduced flexibility, as guidelines can be more easily adapted to address emerging challenges.
In the face of potentially massive penalties, various submissions called for a system of tiered penalties, similar to the GDPR – so the highest penalties will apply to the most egregious of cases only, or will not unfairly impact smaller organisations and charities.
The Attorney-General's Department is considering a "mid-tier" penalty that could apply for a breach of the Privacy Act that is not a serious or repeated interference with privacy. This appears to be an additional penalty for lesser offences, not a restriction on when the larger penalty would apply.
As part of the broader review of the Privacy Act, the Government will consider a tiered approach to penalties – potentially linked to whether an organisation has taken reasonable steps to prevent or mitigate an interference with privacy.
Australian privacy laws now apply to organisations "carrying on business" in Australia whether or not personal information is collected in Australia.
While this amendment is convenient for enforcing Australian privacy laws in a modern digital context, Australia's Privacy Act no longer expressly requires personal information governed by the Act to have any connection to Australia.
The Government has accepted the committee's recommendation to examine, as part of its broader review of the Privacy Act, whether it is appropriate to provide for any additional Australian link requirement.
This amendment brings significant uncertainty about the scope of Australia's privacy laws, and requires urgent clarification and guidance. Organisations looking to do business in Australia should carefully consider how they structure their business and data operations – for example, it may be possible to limit the impact of Australian privacy legislation by using a separate Australian subsidiary to handle Australian personal information. However, even with these structures, the OAIC has asserted that an offshore entity providing services to its Australian related entity may still be carrying on business in Australia and bound by Australian privacy laws.
The OAIC will have new regulatory tools and flexibility that should, together with an ongoing focus on funding, see a more proactive regulator with capacity and capability to investigate and litigate more privacy incidents.
The focus of the reforms are information gathering and sharing – for example, the regulator will now be able to issue infringement notices, without going to court, for a failure to give information when required. Depending on how the regulator approaches these new powers, we may see a significant change to pace and intensity of investigations and assessments, which could further strain organisations and cyber-security personnel working on recovering from cyber incidents.
This expanded regulatory toolkit includes:
These reforms emphasise the need for well thought out incident response plans, regulator engagement strategies and responsibilities, internal information flows, and decision making frameworks.
Organisations will need to provide timely and accurate information to the regulator. Keep in mind that broader rights to publish and share information may lead to early, assessments (that may be incorrect or incomplete) gaining a wider audience, so robust decision making and information controls are essential.
While many of the changes may seem targeted at the "big end of town", a better funded regulator with an improved regulatory toolkit will have implications for a broad range of breaches, including less severe ones which the regulator might not have had the capacity or tools to focus on in the past.
New powers to issue infringement notices for failure to provide information when required will see a dramatic shift in how the regulator investigates privacy concerns. The reforms also set the stage for a regulator that takes a more proactive audit and compliance role before incidents occur, as well investigating and litigating after the event.
In the face of significant new penalties, organisations should look not only to cyber defence and cyber resilience, but also reducing the potential harm to individuals should a cyber attack be successful. Organisations are already reviewing data collection and retention policies and where possible destroying or de-identifying personal information, particularly more sensitive information or information that could be used for identity fraud.
But these reviews should not be a one-off project. Organisations need to continue to test and re-test what data needs to be collected and retained, and invest in high quality privacy impact assessments to help identify and mitigate privacy risks.
Organisations are also investigating how privacy can be embedded in systems –adopting "privacy by design" principles, and investigating trusted digital identity frameworks and privacy enhancing technologies such as homomorphic encryption.
Building security and privacy capability has never been more important. In all likelihood, we will see a range of reforms in the pipeline and a more proactive privacy regulator, and businesses operating in Australia will need the capability to adapt. This will be particularly challenging with a tough market for security and data privacy talent.
Authors: John Macpherson (Director, Risk Advisory); Tim Brookes (Partner, Digital Economy Transactions), Amanda Ludlow (Partner, Digital Economy Transactions), Geoff McGrath (Senior Associate, Digital Economy Transactions) and Andrew Hilton (Expertise Counsel, Digital Economy Transactions).
The Ashurst Group is global, and comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.
Ashurst Risk Advisory Pty Ltd (ABN 74 996 309 133) provides services under the Ashurst Risk Advisory brand. The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.
For more information about the Ashurst Group and the services offered, please visit www.ashurst.com.