Recent months have seen high profile, extensive data breaches affecting major businesses and involving the release of personal information of thousands of Australians.
The Commonwealth Government has sought to respond quickly to shore up Australia’s privacy laws, introducing the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) to Parliament.
The Bill seeks to make changes to existing Commonwealth legislation, to increase the financial penalties for data breaches, enhance the powers of the Office of the Australian Information Commissioner (Commissioner), and improve the information sharing powers of government authorities that oversee privacy and data-protection.
If and when the Bill is passed by the Senate, the amendments will come into effect the day after the Bill receives Royal Assent.
The recent publicity around major data breaches, and these imminent enhancements to privacy laws serve as a reminder of the importance for all Australian businesses to revisit and update their data breach response plans, cybersecurity measures and their privacy policies and procedures.
Section 13G of the Privacy Act 1998 (Cth) (Privacy Act) makes it an offence to undertake an act or engage in a practice that seriously interferes with the privacy of an individual, or to repeatedly undertake an act or engage in a practice that interferes with the privacy of one or more individuals.
If and when the Bill is passed, the penalties for serious or repeated interferences with privacy will be significantly increased, both for companies and other organisations or individuals.
The increased penalties will be as follows:
Expanded powers for the Commissioner
The Bill includes proposed amendments to the Australian Information Commissioner Act 2010 (Cth) and the Privacy Act, to expand the enforcement powers available to the Commissioner by:
- providing powers to the Commissioner to issue infringement notices for a failure to provide information, answer questions or produce documents when required to do so;
- providing powers to the Commissioner to compel entities to engage an independent and suitably qualified adviser to assist with implementing steps to prevent the repetition or continuation of conduct that constitutes an interference with privacy;
- providing powers to the Commissioner to require entities to prepare and/or publish a statement about the conduct that led to the interference with privacy;
- empowering the Commissioner to conduct an assessment of an entity’s compliance with the Notifiable Data Breaches scheme;
- providing the Commissioner with a new information-gathering power to assess an actual or suspected eligible data breach; and
- strengthening the Notifiable Data Breaches scheme to ensure the Commissioner has sufficient information of an eligible data breach, in order to assess the particular risk(s) of harm to individuals.
The Bill will also amend the Privacy Act to make it clear that foreign organisations which ‘carry on a business’ in Australia must comply with the Privacy Act, regardless of whether or not the personal information held by the foreign organisation is collected directly from a source, or otherwise held, in Australia.
Information-sharing between government authorities
The Bill will amend existing legislation to enhance the powers and rights of the Commissioner to share information with other agencies, including with other enforcement bodies, alternative complaint bodies and with State, Territory or foreign privacy regulators during the course of the performance of the Commissioner’s powers, where it is reasonable, necessary and proportionate.
The Commissioner will also gain the power to disclose information acquired by the Commissioner, if the disclosure is in the public interest.
The stated aim in amending the legislation in this way is to improve co-operation between regulators with a view to achieving better outcomes for individuals affected by privacy breaches.
Where to from here?
The Bill has been introduced to Federal Parliament, and as at the date of this note, is set for public hearing before Parliament’s Legal And Constitutional Affairs Legislation Committee.
The proposed amendments in the Bill to privacy laws, reflect community and business concerns as to the scale and seriousness of recent major data breaches.
It is an opportune time for all businesses to revisit and update their data breach response plans and cybersecurity measures, to ensure that they are adequately prepared to manage and respond to data breaches.
If you would like any further assistance with assessing your compliance with the Privacy Act, or have any questions relating to the abovementioned amendments, please contact Lan Lam, Andrew Williams or Rebecca Pereira.
This Alert is intended as general information only. It does not purport to be comprehensive advice or legal advice. Readers must seek professional advice before acting in relation to these matters.