This week the Federal Attorney General introduced legislation to increase fines for privacy breaches, largely in response to the Optus and Medibank data breaches. We cover the Optus data breach in more detail here and here.
It’s been quite the few weeks for Australian privacy and security professionals with an unusually high number of reported data breaches, which are being followed closely by the Australian media and causing concern to the many millions of affected Australian.
The first response to this spate of significant breaches, impacting millions of Australians, is the Bill[1] introduced to parliament last week which seeks to provide the Privacy Commissioner with greater enforcement powers and increase penalties for breaches of the Privacy Act.
We explain more about what’s proposed in this new Bill below, plus some observations on what might change as a result of the new provisions.
Currently the Privacy Act provides a penalty for serious or repeated interferences with privacy which sits at AUD$2.5M for organisations. The Bill seeks to increase that penalty to an amount not exceeding the greater of:
In announcing the legislative changes, the Attorney-General noted the need for the increased penalty to ensure that a major data breach is seen as more than just the cost of doing business. He said “We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour.” Improving the privacy and security behaviours of Australian organisations is a clear regulatory objective.
The Bill amends the extraterritorial jurisdiction of the Privacy Act to ensure foreign organisations that carry on a business in Australia must meet the obligations under the Act, even if they do not collect or hold Australians’ information directly from a source in Australia.
The Bill also seeks to enhance the Privacy Commissioner’s enforcement powers including by:
Separately to the announcements about the Bill, the OAIC also received additional funding as part of Tuesday night’s budget to support its response and investigation into the Optus data breach, as well as having its previous funding announced in March 2022 confirmed. The Privacy Commissioner said[2] that “the OAIC has shifted to a stronger enforcement posture in line with increased privacy risks and the community’s growing concerns over the protection of their data” and that the funding “is an important addition to assist us in promoting and upholding privacy rights for the community.”
While we support the improvements to funding the OAIC, as well as specific funding for the Optus data breach response, without a consistent and confirmed increase in funding for the OAIC, increases in fines are likely to do little to improve overall compliance with the Privacy Act.
It is also unusual for the OAIC to receive funding specific to a particular data breach, and with the spate of recent data breaches being reported in the media, it will be interesting to see whether the government undertakes a wholesale review of the OAIC’s funding to enable it to enforce the Privacy Act proactively, rather than providing increases in funding on a piecemeal basis reactively.
The OAIC needs to be properly funded and staffed with experts in data protection and privacy to enable proactive regulation that is taken seriously by business. Anything short of that, even with increases in fines is likely to have little effect on privacy compliance.
If you’re a privacy professional, there is no doubt that the government’s announcement will get the attention of your executives and board.
We’ve been here before though, when the GDPR was introduced with its large fines and when the previous government announced increases to the penalties under the Privacy Act in 2019 (although we didn’t see any draft legislation until 2021!).
It’s important to remember that mistakes will happen, and data breaches will too. A focus on understanding the information your organisation holds, where it is stored, what it is used for, and how it is secured, who has access to it and when it should be destroyed is the best response. It’s about more than compliance, it’s about handling the data of your customers, employees, and suppliers with respect, in accordance with community and regulatory expectations and consistent with data protection principles.
Don’t’ forget that the review of the Privacy Act more broadly is still ongoing so there will be more change to come. And we expect that those changes will bring much tougher requirements for compliance.
We are also expecting to see some developments in the regulation of cyber security, and possibly the introduction of more prescriptive and broader reaching requirements.
Privacy and security professionals will be in greater demand than ever before.
If you’re worried about your organisation’s privacy compliance, or don’t know where to start to assess it, we have a Compliance Self Health Check which will provide you with a comprehensive report delivered to your email, with clear next steps and compliance scoring against the Australian Privacy Principles.
[1] Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022
"*" indicates required fields
"*" indicates required fields
Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.
