Major changes to privacy law announced – but will they be implemented?

Key points

• Commonwealth Government announces large increases to penalties for privacy breaches
• Regulator to receive funding boost and additional enforcement powers
• Social media sites and other online platforms face further specific privacy requirements
• Looming Federal election leaves some uncertainty over whether changes will be implemented

Mosque massacre prompts Government into action on privacy law reform

About 10 days ago I spoke at a privacy conference and stated my view that major changes to privacy law in Australia were inevitable.

I was asked the question, “When will the changes occur?” My answer was that it was hard to be more precise than “sometime in the next few years”.

As I was speaking, the mosque massacre in New Zealand was unfolding. It seems that one of the consequences will be to accelerate privacy law changes in Australia.

The massacre, and the role social media played in relation to it, has prompted the Federal Government to review the regulation of social media sites and to announce changes to privacy law yesterday that are intended to significantly improve privacy compliance by all organisations governed by the Privacy Act 1988.

While the impetus for the changes seems to be to hold companies like Facebook and Twitter to higher standards, the changes would have significant consequences for most Australian companies with annual revenue over $3 million.

“Existing protections and penalties for misuse of Australians’ personal information under the Privacy Act fall short of community expectations, particularly as a result of the explosion in major social media and online platforms that trade in personal information over the past decade,” Commonwealth Attorney-General Christian Porter said yesterday.

Additional funding for regulator and increased civil penalties

The Office of the Australian Information Commissioner will be allocated an additional $25 million (over 3 years) commencing with next month’s Federal budget, to bolster its enforcement capability. Further, the maximum civil penalties that the OAIC can recover for a serious privacy breach, or repeated privacy breaches, will be increased from $2.1 million (for a company) to the higher of:

• $10 million;
• three times the value of the benefit obtained from the breach(es); or
• 10% of the company’s annual domestic turnover in the last 12 months.

This could be a “game changer”. For 5 years now, the OAIC has had the power to pursue civil penalties for privacy breaches, but has never used it. If the OAIC, properly resourced, starts to wield this power it will send a powerful message to companies to take privacy compliance much more seriously.

Regulator’s enforcement options broadened

The OAIC will also receive further enforcement powers including the ability to issue infringement notices.

It is likely that the OAIC would issue infringement notices in situations where there is a privacy breach that is serious enough to warrant enforcement action, but not serious enough for the OAIC to commence court proceedings immediately.

If a company receives an infringement notice it will be required to pay the penalty stated in the notice within a fairly short period (our guess is 28 days) or face the prospect of the OAIC taking the company to court and seeking a more substantial penalty. The information issued by the Government so far doesn’t clearly state the penalties associated with such an infringement notice but they will likely be in the order of $10,000 – $100,000 per privacy breach.

The OAIC has stated that it will develop guidelines about how it will use its new powers.

Right for individuals to halt use/disclosure of their personal information

Individuals will be given a new right to require social media sites and other online platforms to cease using or disclosing their personal information.

Code for online platforms trading in personal information

The Government will mandate a code for online platforms, including social media platforms, which trade in personal information. The code will require more transparency about data sharing and more specific consent of users to the collection, use and disclosure of their information. This change may be driven in part by the reported sharing of Facebook data with Cambridge Analytica without Facebook users’ consent, which the OAIC is already investigating.

Rules to protect children and vulnerable groups

Specific new rules will be introduced to protect the personal information of children and other vulnerable groups. We await clarification by the Government as to the nature of these rules.

Federal election leaves an element of uncertainty

The immediate question mark that hangs over the proposed changes is whether they would be implemented by a Labor government if elected in May, which recent polls indicate is a distinct possibility if not a likelihood. The current Government is planning to prepare draft legislation to implement the above changes, for consultation in the second half of 2019 (i.e. after the election). We await an indication from the Labor party as to whether it supports the changes.

The Government also states that the draft legislation will incorporate any findings of the ACCC’s Digital Platforms inquiry (see our earlier article here). The ACCC is due to make its final recommendations arising from that inquiry on 3 June 2019. Those recommendations may well contain further proposals to significantly “raise the bar” for privacy law compliance in Australia.

Companies must face the inevitable and take privacy compliance more seriously

Whatever the fate of these specific proposals, it is very clear that as:

• more data about individuals is being collected and aggregated;
• the value and range of uses of the data are increasing; and
• more data breaches (accidental or via hacking) are occurring,

privacy law reforms will inevitably occur in the near to medium term and Australian companies will be required to take privacy compliance much more seriously.

Companies must come to grips with the idea that they need to develop their own privacy law and data security technical expertise and invest significantly more in their privacy compliance programs.