Privacy Act Amendments: Real deterrent or window dressing?

With Optus and Medibank data breaches affecting over 10 million Australians, many have pointed to inadequacies in Australia’s privacy laws. The government has responded by fast-tracking Privacy Act amendments.

But if passed, will these amendments lead to real changes in privacy protections, or is it more window dressing for Australia’s tired and increasingly out of date Privacy Act?

 

Privacy Act amendments: Background

In the last few months Australians have been rocked by two major data breaches.  The first affected nearly 10 million customers of Optus, one of Australia’s largest mobile phone providers. Information Commissioner Angelene Falk called the Optus breach one of the largest in Australia since the Notifiable Data Breach regulations went into effect in 2018.

Both the OAIC and Australian Communications and Media Authority are investigating the Optus data breach. The OAIC said it will investigate the company’s data protection efforts and compliance with privacy laws, while the ACMA is investigating whether its maintenance and disposal of personal data meets industry obligations.

Shortly after news of the Optus breach, Medibank (one of Australia’s private health insurers) announced that it had been the subject to a cyber attack, with ransomware demands being made by the attackers.  According to Medibank, 9.7 million current and former customers are affected by the breach. That includes 5.1 million Medibank customers, 2.8 million ahm customers, and 1.8 million international customers.  The compromised data includes health records. The insurer says health claims for about 160,000 Medibank customers, 300,000 ahm customers and 20,000 international customers were accessed. The information exposed includes service provider names and codes associated with diagnosis and procedures.

After Medibank confirmed it would not pay any ransom, the ransomware group started posting Medibank customer data on the dark web. The initial dump, limited to a few hundred megabytes, was posted on a blog linked to the Russian ransomware group REvil overnight. The data includes hundreds of names, addresses, birthdates, Medicare numbers and hospital addresses posted as “good list” and “naughty list.”

 

Privacy Act amendments: What’s proposed?

In October 2022, Attorney-General introduced legislation to amend Australian privacy law, including substantial new fines and additional powers for the Office of the Australia Information Commissioner (OAIC). A

In response to the Optus and Medibank data breaches, the Australian Attorney-General Mark Dreyfus introduced The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Bill) into Australian Parliament.  Acccording to the Attorney-General “Governments, businesses and other organisations have an obligation to protect Australians’ personal data, not to treat it as a commercial asset” and the amendments are designed to encourage compliance with those obligations.y

The Bill will amend the Privacy Act 1988 (Cth) (Privacy Act), introducing:

• Maximum penalties of $50 million and more for serious or repeated interferences with privacy;
• Enhanced powers (including new information gathering and sharing powers) for the Office of the Australian Information Commissioner (OAIC); and
• Broader extra-territorial application of the Privacy Act.

The Bill has been moved to a second reading, following a review by a Senate Committee, and is expected to pass before the end of 2022.

Privacy Act amendments Strengthened penalties

One of the most substantial changes proposed by the Bill is the increase to penalties. Presently, the maximum penalty for a company is $2.22 million. The Bill seeks to increase this to an amount not more than the greater of:

• $50 million; or
• three times the benefit obtained by the company and any related body corporate from the breach; or
• if a court cannot determine the amount of the benefit, then 30% of the ‘adjusted turnover’² of the company’s Australian group during the ‘breach turnover period’, which will be 12 months or longer if the breach period was longer.

These amounts align to maximum penalties for contraventions of the Australian Consumer Law, introduced with the Treasury Laws Amendment (More Competition, Better Prices) Bill 2022 (Cth).

However, penalties can still only be imposed for ‘serious’ or ‘repeated’ interferences with privacy and the OAIC is required to bring civil penalty proceedings in the Federal Court.

To date, even though the OAIC has had the power to apply for penalties since 2014, it has only commenced civil penalty proceedings once.

Privacy Act amendments Enhanced powers for the OAIC

The Bill also gives the OAIC new powers to assist in its investigations and enforcement. Some of these are discussed below:

Data breach notification powers

The OAIC will have the power to issue a notice requesting information, document(s), or requiring a person to answer questions, about an actual or suspected eligible data breach under the Notifiable Data Breaches (NDB) scheme.  With this power, the OAIC will be able to investigate further into data breaches, which among other things will allow the OAIC to better understand the risk of harm to individuals from the breach.

Failure to comply will be subject to the criminal penalties.

The OAIC will also be given the power to assess an entity’s compliance with the NDB scheme, as an extension of its powers to conduct assessments relating to an entity’s compliance with the APPs. This will allow the OAIC to assess the extent to which there are processes and procedures to assess suspected eligible data breaches and provide notice to at-risk individuals, to

Information gathering powers when assessing compliance with the Privacy Act

The OAIC will also have new powers to require, by written notice, that entities produce any relevant information as part of its general assessment powers.

The stated aim of introducing those broad powers is to ensure Australians are informed about instances where their privacy may have been compromised, and are able to take measures to protect their personal information.

New public interest disclosure powers

The Bill will allow the OAIC to disclose information acquired in the course of the exercise of its powers and functions, if it is satisfied that disclosure is the public interest. This provision is a likely consequence of the high public interest and concern arising from recent data breaches.

Independent advisers

The OAIC will now also be empowered to require a party to engage an independent adviser (when requiring that party to undertake steps to ensure contravening conduct is not repeated) and publish a statement about the conduct that led to the breach.

This is aimed at providing greater transparency and visibility as to an entity’s remediation activities and conduct following a breach.

 

Extra-territorial effect

The Bill will make it easier for the Privacy Act to apply to overseas companies, with the only additional requirement being that they carry on business in Australia. At present, for the Privacy Act to apply to overseas company, they must also collect or hold personal information in Australia.

The purpose of these amendments is to clarify that the Privacy Act will apply even where a foreign organisation does not collect Australians’ information directly from a source in Australia. For example, this would capture organisations that collect information from a digital platform that does not have servers in Australia.

Privacy Act amendments:  Will they work?

Australian privacy experts have reservations about the current proposed amendments. A range of civil society organisations, academics and industry groups have made submissions around the Bill.

Most of those submissions are aligned, with some main themes emerging, including the following:

More comprehensive reform

The Australian Privacy Act has been under review of over 3 years.  Australian civil society has invested significantly in responding to the lengthy discussion papers issued in 2020 and then again in 2021.  These papers covered an extensive list of suggested amendments, and have been supported by follow up engagement sessions.

It is not clear why the full program of reform could not have been fast tracked for consideration, together with the matters covered in the Bill. C

OAIC funding and resources

Inadequate funding of the OAIC has long been a concern of privacy advocates, with many questioning if the OAIC is able to adequately investigate breach cases given its current level of staffing.

Before the most recent Budget, Ms Falk (the Australian Information Commissioner) appealed to the government for more funding, warning that her office was “unable to keep up” with its increased workload, revealing it had achieved less than two thirds of its key performance indicators.  Following that appeal, the OAIC was granted an additional AU$5.5 million but targeted to assist the OAIC “ investigate and respond to the Optus data breach” InnovationAus reports.

This funding represents a two-year investment in the OAIC.

The fact that this one-off additional funding was made suggests that the government is well aware that the OAIC as currently funded does not have the capacity to properly exercise its powers.

 

Retention and deletion

The Optus breach in particular highlighted issues with the amount of data that organisations collect and retain.

University of New South Wales Faculty of Law and Justice data privacy expert Katharine Kemp also recommended the Privacy Act be amended to clearly state when companies must delete customer data.[1]

As part of our submission, Privacy 108 recommended that data minimization be considered as a core stand-alone APP. We also recommended that consideration be given to more prescriptive requirements for the retention of personal data. These might include requiring covered entities to identify, for the different categories of personal information that they collect and hold:

• The basis for retention;
• The retention period that applies;
• The extent to which the personal information can be pseudonymized or anonymized.

Are increased penalties enough: real deterrent or window dressing?

Although the Bill covers a number of things, focus has been on the increased penalties, and how they are necessary to act as a real deterrent to poor privacy practices of covered Australian entities..

The language of the Attorney-General’s second reading speech highlights this, referring to the Bill in terms of it implementing a “significant increase” in “penalties under the Privacy Act for serious or repeated privacy breaches to incentivise businesses to take strong privacy and cybersecurity measures to protect the personal data they hold”.

In some respects, encouraging the Australian business community to take privacy seriously by having a “blockbuster” style offence with a big penalty regime attached is a bit like trying to encourage better road behaviour by having the only road offence as motor-vehicle manslaughter, but imposing a higher penalty for it. The blockbuster offence approach is actually worse in the privacy context than in the road safety paradigm because there are so few privacy enforcement cases and the offence is so much more difficult to prove.

It seems to us that the Bill, as drafted, is unlikely to be effective unless some the issues outlined above are addressed.  Perhaps this will come with the comprehensive privacy reform that we’ve been promised for some time. Our fingers are crossed.

References:

• Information about the Bill is available here.
• Submissions to the review of the Bill are available here.

[1] Report here.