First patch to the privacy laws in Australia: increased penalties for global companies

Background

New changes to the Privacy Act 1988 (Cth) (Privacy Act) passed on 28 November 2022, with the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) now passed by Parliament and awaiting Royal Assent. The broadened scope of the Privacy Act exposes more global organisations to significant penalties for non-compliance with their privacy obligations in Australia.  This change signals a shift towards stronger regulation and harsher penalties to deter organisations from breaching their legal and regulatory obligations.

Key changes

The Bill introduces the following key changes:

• increased penalties;
• expansion of the extra-territorial application of the Privacy Act; and
• increased enforcement and information sharing powers for regulators.

These changes have arisen from the Australian Government’s renewed focus to strengthen privacy laws in the wake of major data breaches that have exposed the personal data of millions of Australians.

New penalties

Most significantly, the Bill increases the penalty for ‘serious’ or ‘repeated interferences’ with the privacy of an individual by a body corporate to an amount not more than the greater of:

• AU$50 million; or
• if the court can determine the value of the benefit that the body corporate, and any related body corporate, have obtained directly or indirectly and that is reasonably attributable to the conduct constituting the contravention—3 times the value of that benefit; or
• if the court cannot determine the value of that benefit—30% of the adjusted turnover of the body corporate during the ‘breach turnover period’ for the contravention. 

The ‘breach turnover period’ is the longer of:

• the period of 12 months ending at the end of the month in which the contravention ceased, or proceedings in relation to the contravention were instituted (whichever is earlier); or
• the period starting at the beginning of the month in which the contravention occurred and ending at the end of the month in which the contravention ceased or proceedings in relation to the contravention were instituted.

Although the new penalty provisions were introduced in the context of data breaches, organisations should be aware that the penalty provisions apply in respect of all ‘serious’ or ‘repeated’ interferences with privacy. This encompasses not only a breach of an entity’s obligations in the event of an eligible data breach, but also breaches of an organisation’s obligations under the Australian Privacy Principles (such as collection, use, disclosure and storage requirements).

Whether an interference with privacy is ‘serious’ is an objective question that will reflect what a reasonable person would consider serious (e.g. factors such as whether the information is sensitive in nature or whether it involved deliberate or reckless conduct). ‘Repeated interference with privacy’ means that an entity has interfered with the privacy of an individual or individuals on two or more separate occasions.   

These penalties match the recent amendments introduced by the Treasury Laws Amendment (More Competition, Better Prices) Bill 2022 which increased penalties that may be awarded for breaches of the Australian Consumer Law (ACL) five-fold, to the greater of:

• AU$50 million;
• if the court can determine the value of the benefit obtained - three times the value of that benefit; or
• if the court cannot determine the value of the benefit obtained - 30% of the body corporate’s adjusted turnover during the breach turnover period for the offence, act or omission.

Provisions in the ACL that are impacted by this change include, amongst others, misleading representations about goods or services.

Global companies operating in Australia must therefore be mindful of their obligations under both the Privacy Act and ACL.  In fact, earlier this year, under the old ACL penalty regime, the Federal Court handed down a historic AU$60 million penalty against an online platform for making misleading representations to consumers about the collection and use of personal information on mobile phones, in breach of the ACL.

Extra-territorial application

The Bill modifies the extra-territorial application of the Privacy Act.  A greater number of foreign organisations conducting business in Australia will be impacted by this change.

Foreign organisations are required to comply with the Privacy Act if the organisation has an ‘Australian link’.  Pursuant to subsection 5B(2) of the Privacy Act, an organisation (or small business operator) has an ‘Australian link’ if the organisation (or small business operator) is:

• an Australian citizen; or
• a person whose continued presence in Australia is not subject to a limitation as to time imposed by law; or
• a partnership formed in Australia (or an external territory); or
• a trust created in Australia (or an external territory); or
• a body corporate incorporated in Australia (or an external territory); or
• an unincorporated association that has its central management and control in Australia (or an external territory).

Until recently, subsection 5B(3) of the Privacy Act stated that an ‘organisation’ (or small business operator) also has an ‘Australian link’ if:

• none of the above categories apply; and
• the organisation (or small business operator) carries on business in Australia (or an external territory); and
• the personal information was collected or held by the organisation (or small business operator) in Australia (or an external Territory), either before or at the time of the act or practice.

At a practical level (as highlighted by two recent major data breaches in Australia) it may be difficult to establish whether organisations collect or hold personal information from a source in Australia, particularly in cases of data breaches.

Under the amended subsection 5B(3) of the Privacy Act, the last criteria has been removed and there is now no longer a requirement that an organisation must collect or hold personal information in Australia either before or at the time of the act or practice in order to have an ‘Australian link’. In effect, this means that foreign organisations can be captured under the Privacy Act provided they carry on business in Australia even if the foreign organisation does not have a local subsidiary in Australia.  

Enforcement and Information sharing powers

The Bill also introduces new enforcement and information sharing powers for the Information Commissioner.

The Information Commissioner’s new powers include to (amongst other things):

• request an entity to provide information and documents in relation to an eligible data breach under the Notifiable Data Breach Scheme (NDB Scheme);
• assess whether an entity is compliant with its obligations under the NDB Scheme;
• issue infringement notices for entities that fail to provide requested information;
• share information obtained under the Privacy Act with other enforcement bodies (such as the Australian Communications and Media Authority), an alternative complaint body, and a State, Territory or foreign privacy authority; and
• disclose information to the public where it is in the public interest to do so.

Refresher on reporting obligations

These reforms are indicative of a broader trend towards privacy and cybersecurity being key focus areas for regulators in Australia under multiple regimes.  It is now quite common for global businesses to operate across a number of sectors.  It should be noted that organisations may have other obligations outside of those contained in the Privacy Act that relate to responding to a data breach.  For example, Australian businesses may also need to comply with the General Data Protection Regulation (GDPR). 

Other reporting obligations may also arise, including to:

• the Australian Cyber Security Centre (for organisations that are also subject to the Security of Critical Infrastructure Act 2018 (SOCI Act));
• the Office of the Australian Information Commissioner (for those operating under the Consumer Data Right system);
• the Department of Health and the Australian Digital Health Agency (for those operating in the health sector, including those operating under the National Cancer Screening Register and My Health Record System);
• the Australian Securities and Investments Commission (including for AFS licensees and credit licensees who have core obligations in relation to data protection);
• the Australian Securities Exchange (for listed entities complying with continuous disclosure requirements);
• the Australian Prudential Regulation Authority (for those operating in financial services industries, such as banking, insurance and superannuation);
• the Australian Taxation Office (for breaches involving confidential taxpayer information);
• police or law enforcement bodies (if the data breach involves cybercrime);
• State or Territory Privacy and Information Commissioners;
• professional associations and regulatory bodies; and/or
• insurers.

For those operating in NSW and with contracts with the NSW Government, we note amendments to the Privacy and Personal Information Protection Amendment Bill 2022 (NSW) were passed on 16 November 2022 to create a mandatory data breach notification scheme for NSW Government agencies.

Next steps

Given the significant increase in potential penalties, organisations should take the opportunity to review their existing privacy policies and practices, and to ensure that they are prepared to respond to a cyber-attack or data breach. This includes ensuring that the business is on top of their notification requirements under the NDB Scheme and the SOCI Act (amongst other legislation).

Meanwhile, the Attorney General Department’s review of the Privacy Act is still ongoing, which is likely to result in a major overhaul to the Privacy Act to reflect the digital era that we live in today. The Albanese Government has indicated that changes resulting from the review may be fast-tracked in light of recent developments. It is important for organisations to keep abreast of any upcoming changes. Please contact us if you have any questions in relation to your organisation’s privacy obligations.

Authored by Mandi Jacobson, Angell Zhang, and Bonnie Liu.