Skip to Content
Image of menu showing a Privacy Shortcuts Option

New Privacy Act Amendments up the Ante on Penalties for Serious Breaches

Update: This post was originally published on . It has been updated to reflect the passage of the Act on .

The Australian government has passed new legislation to increase the penalties for major privacy breaches.

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 was tabled before Parliament on . It was passed by Parliament on .

The Amendments will come into effect once the Act receives royal assent.

The measures are being implemented to strengthen Australian privacy law in the wake of the recent Optus and Medibank data breaches.

A full review of Australia’s privacy legislation framework is ongoing, with further proposed changes expected to be announced from 2023.

The Committee report recommmended amendments to the Privacy Act, including the introduction of definitions for "serious" and "repeated" interference, and clarification of the "Australian link" requirement, along with several other consumer protection measures.

Increased Maximum Penalties

On commencment of the Legislation, the maximum penalties will dramatically increase for serious or repeated contraventions of the Australian Privacy Principles (APPs), or the Act.

For individuals, the maximum penalty will increase to $2.5 million.

For organisations, the increased maximum penalty will be the greater of:

  • $50 million;
  • 30% of the entity’s adjusted turnover in the relevant period;
  • if the organisation stands to benefit from the breach – up to three times the value of the gain;
Graphic showing increased maximum penalties for privacy breaches in Australia
The maximum penalties for Privacy Act breaches will increase under new amendments.

Territorial Expansion

The Amendments also broaden some definitions to increase the application of Australian privacy law to overseas organisations operating within Australia.

Additional Regulatory Powers

Under the Amendments, the Office of the Australian Information Commissioner (OAIC) will receive increased investigatory powers. Enhanced data-sharing capabilities between several government agencies is also implemented.

The 2022-23 Federal Budget Papers included $5.5 million in additional funding for the OAIC to respond to the Optus data breach.

OAIC Response

Australia's privacy regulator, the OAIC, has welcomed the Amendments stating:

The updated penalties will bring Australian privacy law into closer alignment with competition and consumer remedies and international penalties under Europe's General Data Protection Regulation [GDPR]...

In addition, new information sharing powers will facilitate engagement with domestic regulators and our international counterparts to help us perform our regulatory role efficiently and effectively.

What should businesses do?

In the first instance, businesses should determine whether they are bound by the Australian Privacy Act.

If a business is bound by the Act, then they should take steps to ensure they are in compliance with the APPs. As a minimum, this should include:

  • preparing, adopting and publishing a written Privacy Policy that complies with Australian privacy law;
  • adhering to the principles for data and personal information collection, use and disclosure under the APPs;
  • maintaining sufficient security over data collected and stored by the business – such as by ensuring adequate IT security is in place to guard against unauthorised access, use or loss of the data;
  • developing response systems and strategies to prevent and mitigate data breaches and comply with any applicable Notifiable Data Breach requirements.
This post is intended for general information only and is not intended to constitute legal advice. You should obtain appropriate professional advice for your circumstances or contact us for further assistance.
Connect

Connect

Contact Form
Social Media
Mail
PO Box 5159
Mt Gravatt East Queensland 4122
Hours
Monday-Friday 9:00am-5:00pm (AEST).
Closed Public Holidays.
Meetings by appointment only.
Contact Us
 
 
Personal information submitted in this form will be used for the purpose of responding to your Enquiry and will be handled in accordance with our Privacy Policy.
Submission of an Enquiry Form does not create a solicitor-client retainer between you and Mirai Legal.