Privacy Act changes proposed … but will they work?

This week the Federal Attorney General introduced legislation to increase fines for privacy breaches, largely in response to the Optus and Medibank data breaches.  We cover the Optus data breach in more detail  here and here.

It’s been quite the few weeks for Australian privacy and security professionals with an unusually high number of reported data breaches, which are being followed closely by the Australian media and causing concern to the many millions of affected Australian.

The first response to this spate of significant breaches, impacting millions of Australians, is the Bill[1] introduced to parliament last week which seeks to provide the Privacy Commissioner with greater enforcement powers and increase penalties for breaches of the Privacy Act.

We explain more about what’s proposed in this new Bill below, plus some observations on what might change as a result of the new provisions.

What changes are proposed?

Currently the Privacy Act provides a penalty for serious or repeated interferences with privacy which sits at AUD$2.5M for organisations.  The Bill seeks to increase that penalty to an amount not exceeding the greater of:

• $50 million;
• three times the value of the benefit obtained; or,
• if the court cannot determine the value of the benefit, 30% of their adjusted turnover in the relevant period.

In announcing the legislative changes, the Attorney-General noted the need for the increased penalty to ensure that a major data breach is seen as more than just the cost of doing business.  He said “We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour.”   Improving the privacy and security behaviours of Australian organisations is a clear regulatory objective.

The Bill amends the extraterritorial jurisdiction of the Privacy Act to ensure foreign organisations that carry on a business in Australia must meet the obligations under the Act, even if they do not collect or hold Australians’ information directly from a source in Australia.

The Bill also seeks to enhance the Privacy Commissioner’s enforcement powers including by:

• expanding the types of declarations that the Commissioner can make as part of an investigation,
• providing the Commissioner with new powers to conduct assessments and new infringement powers, and
• giving the Commissioner information gathering powers as part of the Notifiable Data Breach scheme.

Additional OAIC funding to support changes

Separately to the announcements about the Bill, the OAIC also received additional funding as part of Tuesday night’s budget to support its response and investigation into the Optus data breach, as well as having its previous funding announced in March 2022 confirmed.  The Privacy Commissioner said[2] that “the OAIC has shifted to a stronger enforcement posture in line with increased privacy risks and the community’s growing concerns over the protection of their data” and that the funding “is an important addition to assist us in promoting and upholding privacy rights for the community.”

While we support the improvements to funding the OAIC, as well as specific funding for the Optus data breach response, without a consistent and confirmed increase in funding for the OAIC, increases in fines are likely to do little to improve overall compliance with the Privacy Act.

It is also unusual for the OAIC to receive funding specific to a particular data breach, and with the spate of recent data breaches being reported in the media, it will be interesting to see whether the government undertakes a wholesale review of the OAIC’s funding to enable it to enforce the Privacy Act proactively, rather than providing increases in funding on a piecemeal basis reactively.

The OAIC needs to be properly funded and staffed with experts in data protection and privacy to enable proactive regulation that is taken seriously by business.  Anything short of that, even with increases in fines is likely to have little effect on privacy compliance.

How will the changes impact privacy?

If you’re a privacy professional, there is no doubt that the government’s announcement will get the attention of your executives and board.

We’ve been here before though, when the GDPR was introduced with its large fines and when the previous government announced increases to the penalties under the Privacy Act in 2019 (although we didn’t see any draft legislation until 2021!).

It’s important to remember that mistakes will happen, and data breaches will too.  A focus on understanding the information your organisation holds, where it is stored, what it is used for, and how it is secured, who has access to it and when it should be destroyed is the best response.  It’s about more than compliance, it’s about handling the data of your customers, employees, and suppliers with respect, in accordance with community and regulatory expectations and consistent with data protection principles.

Don’t’ forget that the review of the Privacy Act more broadly is still ongoing so there will be more change to come.  And we expect that those changes will bring much tougher requirements for compliance.

We are also expecting to see some developments in the regulation of cyber security, and possibly the introduction of more prescriptive and broader reaching requirements.

Privacy and security professionals will be in greater demand than ever before.

Privacy Act compliance assessment

If you’re worried about your organisation’s privacy compliance, or don’t know where to start to assess it, we have a Compliance Self Health Check which will provide you with a comprehensive report delivered to your email, with clear next steps and compliance scoring against the Australian Privacy Principles.

[1] Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022

[2] OAIC Media Release 26 October 2022

Jodie Siganto

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.