The Australian government has passed new legislation to increase the penalties for major privacy breaches.
The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 was tabled before Parliament on . It was passed by Parliament on .
The Amendments will come into effect once the Act receives royal assent.
The measures are being implemented to strengthen Australian privacy law in the wake of the recent Optus and Medibank data breaches.
A full review of Australia’s privacy legislation framework is ongoing, with further proposed changes expected to be announced from 2023.
The Committee report recommmended amendments to the Privacy Act, including the introduction of definitions for "serious" and "repeated" interference, and clarification of the "Australian link" requirement, along with several other consumer protection measures.
Increased Maximum Penalties
On commencment of the Legislation, the maximum penalties will dramatically increase for serious or repeated contraventions of the Australian Privacy Principles (APPs), or the Act.
For individuals, the maximum penalty will increase to $2.5 million.
For organisations, the increased maximum penalty will be the greater of:
- $50 million;
- 30% of the entity’s adjusted turnover in the relevant period;
- if the organisation stands to benefit from the breach – up to three times the value of the gain;
The Amendments also broaden some definitions to increase the application of Australian privacy law to overseas organisations operating within Australia.
Additional Regulatory Powers
Under the Amendments, the Office of the Australian Information Commissioner (OAIC) will receive increased investigatory powers. Enhanced data-sharing capabilities between several government agencies is also implemented.
The 2022-23 Federal Budget Papers included $5.5 million in additional funding for the OAIC to respond to the Optus data breach.
Australia's privacy regulator, the OAIC, has welcomed the Amendments stating:
The updated penalties will bring Australian privacy law into closer alignment with competition and consumer remedies and international penalties under Europe's General Data Protection Regulation [GDPR]...
In addition, new information sharing powers will facilitate engagement with domestic regulators and our international counterparts to help us perform our regulatory role efficiently and effectively.
What should businesses do?
In the first instance, businesses should determine whether they are bound by the Australian Privacy Act.
If a business is bound by the Act, then they should take steps to ensure they are in compliance with the APPs. As a minimum, this should include:
- adhering to the principles for data and personal information collection, use and disclosure under the APPs;
- maintaining sufficient security over data collected and stored by the business – such as by ensuring adequate IT security is in place to guard against unauthorised access, use or loss of the data;
- developing response systems and strategies to prevent and mitigate data breaches and comply with any applicable Notifiable Data Breach requirements.