What you need to know
- Following recent high-profile data breaches, the Australian Government's Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will (if passed) significantly increase penalties for serious or repeated breaches of privacy law, and give enhanced powers to the regulator.
- Penalties have increased from a A$2.2 million maximum to the greater of A$50 million; three times the benefit of the contravention; or, if the benefit can't be determined, 30 per cent of a company's domestic turnover in 12 months during the period of the contravention (whichever is longer).
- Proposed new regulatory powers signal a more robust and proactive Office of the Information Commissioner (OAIC) – better able to investigate, coordinate with other regulators, keep the public informed, and assess privacy compliance.
- These new powers are backed by significant funding for the OAIC in the October Federal Budget, including almost A$17 million over two years to process privacy complaints and enhance the OAIC's capacity to take regulatory action (announced in March budget), and new funding of A$5.5 million over two years to support the OAIC's response to the Optus incident.
- The Bill also clarifies that Australian privacy laws will apply to organisations doing business in Australia, whether or not personal information is collected in Australia.
- The Bill was referred to the Legal and Constitutional Affairs Legislation Committee on 27 October 2022, whose report is due 22 November 2022.
What you need to do
- Accelerate current projects – Get moving on privacy and security enhancements or rectification projects to limit potential exposure to higher penalties.
- Revisit regulator engagement in incident response plans – Clarify information flows and decision-making protocols. Make sure you have the processes in place to assess, and provide timely and accurate responses to, requests for information from regulators. Expect a regulator that will ask more questions in relation to data breaches, and may use its greater regulatory powers, including information sharing and infringement notices.
- Understand and address disclosure risks – Understand whether disclosures to regulators might breach confidentiality obligations to suppliers, customers and partners. Information required to be provided under law might have different consequences to information provided voluntarily. Consider negotiating changes to key contracts to allow greater transparency.
- Understand and plan for financial exposure – New penalties, if passed, should be fed into organisational risk management strategies to help calibrate and reset the business case for cyber and privacy spend, including proactive data governance, cyber and privacy compliance reviews.
New Bill brings bigger penalties and a more powerful regulator
In response to a recent increase in high-profile cybercrime incidents, the Australian Government has brought forward key privacy law reforms under the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022.
The Bill, if passed, will significantly increase penalties for serious or repeated privacy breaches, broaden the regulatory tools available to the Office of the Australian Information Commissioner (OAIC) and improve information-sharing among regulators (including foreign regulators).
The Bill also clarifies that Australian privacy laws apply to organisations carrying on business in Australia, whether or not personal information is collected in Australia. This reflects the position currently taken by the OAIC, but that position has been challenged (for example, Clearview AI argued that it did not collect personal information in Australia, but collected it from overseas sources).
Significant new penalties – organisations should act fast
The Bill, if passed, will increase penalties for serious or repeated breaches of privacy to the greater of:
- A$50 million;
- three times the value of any benefit obtained from the misuse of the information; or
- if the value of the benefit obtained cannot be determined, 30 per cent of a company's domestic turnover in the "breach turnover period".
The "breach turnover period" is 12 months or the duration of the contravention, whichever is longer.
For longer-term, systemic breaches by larger organisations, this framework could mean maximum penalties significantly higher than the A$50 million headline figure.
The increased penalties reflect those under the recently passed Treasury Laws Amendment (More Competition, Better Prices) Act 2022 for breaches of competition law (read more in our Update here). They are significantly higher than the current maximum of A$2.2 million, as well as penalties consulted on by the previous Government (the greater of A$10 million; three times the value of the benefit; or if the value cannot be determined 10 per cent of domestic annual turnover).
The increased penalties will not apply retrospectively to acts done, or practices engaged in, before commencement of the new penalties.
To avoid possible exposure to significantly higher penalties, organisations should consider accelerating privacy and security enhancements or rectification projects.
An improved toolkit and better funding means a more capable, more active privacy regulator
The Bill introduces new regulatory tools and flexibility that should see a more proactive regulator with more capacity and capability to investigate more privacy incidents.
This expanded regulatory toolkit includes:
- New infringement notices for failure to give information when required to do so, with associated civil penalties and a criminal penalty for systemic or pattern behaviour.
- Power to assess ability to comply with Notifiable Data Breach (not just whether an entity actually complied with the scheme).
- New information-gathering powers in relation to actual or suspected data breaches, or to conduct assessments of any kind, including of an entity's ability to comply with the Notifiable Data Breach scheme.
- Statements about contraventions – a respondent may be required to prepare, provide to complainants, or publish, a statement about the conduct that led to an interference with privacy.
- Independent review – in addition to requiring a respondent to take steps to ensure the infringing conduct is not repeated or continued, the Commissioner will have the power to require an independent and suitably qualified adviser to conduct a review and provide a report to the Commissioner.
- Publishing information – the Commissioner will be able to publish information that is in the public interest.
- Information-sharing with regulators – the OAIC and the Australian Communication and Media Authority (ACMA) will be able to better coordinate and share information with regulators and enforcement bodies, including foreign regulators.
- Internal coordination – the OAIC will be able to better coordinate its various functions by sharing information internally, and by delegating Information Commissioner functions and powers to OAIC staff.
What does this mean for you?
The reforms and additional funding emphasise the need for carefully thought-out incident response plans, regulator engagement strategies and responsibilities, internal information flows, and decision-making frameworks.
Organisations will need to provide timely and accurate information to the regulator.
Keep in mind that broader rights to publish and share information may lead to early assessments (which may be incorrect or incomplete) being publicised, so robust decision-making and information controls are essential.
While many of the changes proposed in the Bill, including increased penalties, may seem targeted at the "big end of town", a better-funded regulator with an improved regulatory toolkit will have implications for a broad range of breaches, including less severe ones which the OAIC might not have had the capacity or the tools to tackle in the past.
Authors: John Macpherson, Director, Risk Advisory; Amanda Ludlow, Partner, Digital Economy Transactions; Tim Brookes, Partner, Digital Economy Transactions; Andrew Craig, Partner, Digital Economy Transactions; and Andrew Hilton, Expertise Counsel, Digital Economy Transactions.
This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.
The Ashurst Group is global, and comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.
Ashurst Risk Advisory Pty Ltd (ABN 74 996 309 133) provides services under the Ashurst Risk Advisory brand. The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.
For more information about the Ashurst Group and the services offered, please visit www.ashurst.com.