Big penalties and a more powerful Australian privacy regulator
03 November 2022
03 November 2022
In response to a recent increase in high-profile cybercrime incidents, the Australian Government has brought forward key privacy law reforms under the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022.
The Bill, if passed, will significantly increase penalties for serious or repeated privacy breaches, broaden the regulatory tools available to the Office of the Australian Information Commissioner (OAIC) and improve information-sharing among regulators (including foreign regulators).
The Bill also clarifies that Australian privacy laws apply to organisations carrying on business in Australia, whether or not personal information is collected in Australia. This reflects the position currently taken by the OAIC, but that position has been challenged (for example, Clearview AI argued that it did not collect personal information in Australia, but collected it from overseas sources).
The Bill, if passed, will increase penalties for serious or repeated breaches of privacy to the greater of:
The "breach turnover period" is 12 months or the duration of the contravention, whichever is longer.
For longer-term, systemic breaches by larger organisations, this framework could mean maximum penalties significantly higher than the A$50 million headline figure.
The increased penalties reflect those under the recently passed Treasury Laws Amendment (More Competition, Better Prices) Act 2022 for breaches of competition law (read more in our Update here). They are significantly higher than the current maximum of A$2.2 million, as well as penalties consulted on by the previous Government (the greater of A$10 million; three times the value of the benefit; or if the value cannot be determined 10 per cent of domestic annual turnover).
The increased penalties will not apply retrospectively to acts done, or practices engaged in, before commencement of the new penalties.
To avoid possible exposure to significantly higher penalties, organisations should consider accelerating privacy and security enhancements or rectification projects.
The Bill introduces new regulatory tools and flexibility that should see a more proactive regulator with more capacity and capability to investigate more privacy incidents.
This expanded regulatory toolkit includes:
The reforms and additional funding emphasise the need for carefully thought-out incident response plans, regulator engagement strategies and responsibilities, internal information flows, and decision-making frameworks.
Organisations will need to provide timely and accurate information to the regulator.
Keep in mind that broader rights to publish and share information may lead to early assessments (which may be incorrect or incomplete) being publicised, so robust decision-making and information controls are essential.
While many of the changes proposed in the Bill, including increased penalties, may seem targeted at the "big end of town", a better-funded regulator with an improved regulatory toolkit will have implications for a broad range of breaches, including less severe ones which the OAIC might not have had the capacity or the tools to tackle in the past.
Authors: John Macpherson, Director, Risk Advisory; Amanda Ludlow, Partner, Digital Economy Transactions; Tim Brookes, Partner, Digital Economy Transactions; Andrew Craig, Partner, Digital Economy Transactions; and Andrew Hilton, Expertise Counsel, Digital Economy Transactions.
This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.
The Ashurst Group is global, and comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.
Ashurst Risk Advisory Pty Ltd (ABN 74 996 309 133) provides services under the Ashurst Risk Advisory brand. The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.
For more information about the Ashurst Group and the services offered, please visit www.ashurst.com.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.