After a number of significant and high-profile cyber incidents in the last few weeks, it was almost inevitable the Government would take steps to fast-track its privacy reform agenda by seeking to push through headline-grabbing changes to the Privacy Act 1988 (Cth) (Privacy Act).
Following the Attorney’s General (AG)’s foreshadowing on 22 October, 2022, the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Privacy Bill) was introduced into Parliament earlier last week. The proposals have been a long time coming – higher penalties have been in the works during the prior administration’s term of office, but the current proposals have the potential to be a game changer for corporate Australia.
The new Privacy Bill proposes three major changes to Australia’s privacy laws:
The maximum penalty for serious or repeated breaches of the Privacy Act is currently capped at $2.22 million (for corporate entities). The harsh reality is that this is a relatively modest limitation, and for some organisations, a relatively minor cost of doing business in Australia, not least for some data-rich organisations prevalent in the global tech sector.
Under the proposed Privacy Bill, this luxury would no longer exist. Any entity found to have committed a serious or repeated interference with privacy could face $50 million or three times the value of the benefit obtained, or, where the benefit is indeterminable, 30% of their annual turnover by way of direct penalty (whichever is higher).
Below is an overview of current and proposed maximum penalties for serious and repeated interferences with privacy under each regime:
|Law||Current civil penalties |
|Proposed civil penalties
|Maximum Penalties||Bodies corporate:|
Up to 5 x 2,000 penalty units = currently $2.22 million.
Other entities (incl. individuals):
Up to 2,000 penalty units = currently $444,000.
The greater of:
• $50 million;
• three times the value of any benefit obtained through the misuse of information; or
• 30 per cent of a company's adjusted turnover in the breach turnover period for the contravention, if the benefit cannot be determined.
Persons other than a body corporate:
An amount not more than $2.5 million.
The Privacy Bill does not go as far as providing the OAIC with a direct enforcement right, or an ability to intervene to resolve a data breach (as was provided to Government in the recently-enacted amendments to the Security of Critical Infrastructure Act, 2018 (Cth). The Federal Court will always retain discretion as to the actual penalty imposed, taking into account the particular circumstances of any breach, including the number of people affected, the nature of the compromised data, the consequences and the company’s actions associated with the breach (including any deliberate or reckless delays, acts or omissions on information protection or other compliance requirements).
However, as evidenced by some of the Court’s recent decisions, the maximum penalties can be applied in a way to impose far greater penalties for organisations, including in cases where the Court takes the view that the maximum penalty should apply on a per-breach basis – i.e. for each contravention of the Privacy Act. This has the potential for the Courts to impose far greater liabilities for contraventions, which should have the effect of focusing the minds of all organisations who are subject to the Privacy Act, whether large or small, to reassess their data risk management protocols and frameworks to best meet their compliance obligations.
If passed as proposed, based on the current text of the Privacy Bill, the OAIC will have broad powers to give APP entities notice to produce information and documents relating to actual or suspected eligible data breaches and that entity’s compliance with its obligations to notify the OAIC and affected individuals under the Notifiable Data Breach Regime of the Privacy Act.
Most notably, the Bill proposes to extend the extraterritorial jurisdiction of the Privacy Act to overseas processing activities, even if the foreign organisations do not collect or hold Australians’ information directly from a source in Australia. This expands the definition of when an ‘Australian link’ exists for the purpose of activation of the Privacy Act to foreign entities carrying on business in Australia, beyond the current practical application.
This has the potential to overtake the ongoing discussions that Federal, State and Territory Governments have had to date with global tech companies in the context of the National Data Security Action Plan regarding the requirement to process Australian customers’ data onshore.
If the Bill is passed in its current form, the OAIC will have enhanced information sharing powers for the purpose of exercising its powers or performing its functions and duties with:
At present, the OAIC can only share information where it is of the view that a complaint could be better dealt with by an alternative complaint body. Under the Privacy Bill, these information sharing powers would be expanded to include other enforcement bodies, and would be broadly exercisable in the ordinary course for the OAIC. Further, if the OAIC is of the view that it is in the public interest to do so, certain information obtained would also be able to be published publicly.
In presenting the Privacy Bill to Parliament, the AG confirmed these additional powers would be crucial for the OAIC to navigate future data breaches with greater authority. Some may see these information-sharing powers as yet another land grab by law enforcement authorities seeking to increase their information-gathering capabilities outside of usual due process. However, this should be taken as a clarion call for all organisations to act promptly and do far more to assess their compliance frameworks and infrastructure and do what is necessary to manage the risk and mitigate the impacts of cyber and data incidents.
The increased OAIC powers and significantly increased penalties demonstrate an awakening and a strong commitment by the Federal Government to take action to protect individual Australians’ personal information.
However, it is difficult to see how the OAIC can meaningfully resource the likely increased workload that these enhanced powers will bring, particularly in the current environment where data breaches are regularly being reported. The increase in funding announced by the Chalmers budget earlier this week (to provide the OAIC with a further AU$5.5m to help manage the fall-out from one recent high-profile breach) is, to put it mildly, modest. It will be spent very quickly – not least given the scale and number of incidents that have provided the tipping point for the recently announced changes. Arguably, to the extent these incidents attract penalties under the current regime, they may provide some relief to the OAIC coffers (assuming that the fines are not channelled to consolidated revenue but are directed to the OAIC). However, without further express commitments from the Government on future funding and resourcing support for the OAIC, there is a real risk that these much-needed reforms will result in another regulator becoming a paper tiger.
There is also an additional risk not often discussed that can come with the imposition of high penalties for information privacy breaches. In the international context we have seen, not least following the introduction of high fines under the EU GDPR and the Californian CCPA, the unexpected side effect of these stiff penalties becoming a ‘red rag to a bull’ for cyber criminals. The media attention associated with data breaches, particularly those to which a large penalty may apply, can result in a trophy hunt for mal-actors in the lucrative ransomware market. Many stand poised to increase their efforts with the objective of extorting larger amounts from organisations who are fearful of allowing a data breach to become public, or to be exposed to the risk of the higher statutory penalties.
It also remains to be seen how effective these new measures will be to change the behaviour of organisations who have, historically, taken a lax approach to privacy and data protection. Perhaps a more granular approach to the threshold triggers for penalties would have a more lasting impact on behaviours than a high-watermark fine. For example, applying a sliding scale for various categories of serious data breach (similar to the tiered approach proposed by the previous Government’s discussion paper), or more prescriptive penalties for those critical or high risk sectors where the impact of a data breach may result in a greater detriment for individuals (e.g. regulated sectors such as health care). Indeed, in the current more personalised data-exchange environment, where individuals are happy to exchange certain information for a financial benefit, we would suggest that a more granular approach focusing on critical or sensitive information would result in a better outlook for Australians.
A ‘big stick’ such as proposed under the current Privacy Bill is likely to encourage a range of different behaviours from affected businesses. The good corporate citizens will rise to the challenge and take steps to embed appropriate privacy and data handling practices within their organisations (if they have not already done so). On the other hand, there are outliers who ignore their obligations and then when faced with the prospect of large penalties, seek to sweep incidents under the carpet and hope the regulator focuses their attention on others. Penalties in this circumstance may reinforce a lack of transparency and the art of the cover up at a time when consumers, governments and broader corporate Australia needs to pull together to deal with the continuing and evolving cyber risk landscape.
Regardless, it is becoming very clear that organisations carrying on business in Australia can no longer look at privacy and data risk as a cost of doing business here. Comprehensive data audits, data risk management frameworks and Board-level review and oversight must now become part of the daily culture for organisations – not only to avoid the brand and reputational damage usually accompanying a serious data breach, but now also to mitigate the risk of hefty penalties and fines being imposed and, the potential for, public dissemination of failing internal practices.
The Privacy Bill has now been referred to the Senate Legal and Constitutional Affairs Committee for consultation. Submissions from the public will be accepted until 7 November 2022 with the Committee proposing to report on the final form on 22 November. It is expected that the Bill (as updated with any final tweaks) will be formally passed pre-Christmas. It is also anticipated that the Government’s report on further reforms to the Privacy Act will be announced in a similar timeframe.
We will continue to monitor the upcoming reforms to the Privacy Act and will keep you abreast of these developments as they arise. Our Privacy & Security team at Gadens has extensive experience in privacy, data protection and cyber security. We would be delighted to support you and your stakeholders with your data risk management plans and enquiries, so please do not hesitate to reach out to any of the team.
If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.
Antoine Pace, Partner
David Smith, Partner
Dudley Kneller, Partner
Sinead Lynch, Partner (Foreign Qualified Lawyer, not admitted to practice in Australia)
Freya Vom Bauer, Associate