The new laws will commence on Royal Assent which is expected shortly. The amendments:
- Increase the maximum penalties that may be awarded for serious or repeated interferences with an individual's privacy:
- for a person other than a body corporate, AUD 2.5 million; or
- for a body corporate, the greater of:
- AUD 50 million
- If the court can determine the value of the benefit obtained - three times the value of that benefit
- If the court cannot determine the value of the benefit obtained - 30% of the body corporate's adjusted turnover during the breach turnover period.
- Strengthen the Australian Information Commissioner's ("Commissioner's") powers in several ways including by making it easier for the Commissioner to find out more about an entity's practices to comply with the Privacy Act and in particular the notifiable data breach scheme as well as giving the Commissioner a greater ability to direct an entity on what it must do on compliance matters.
- Provide the Commissioner with greater information sharing abilities.
The amendments show that the Government is shining a spotlight on corporate Australia's role and responsibility in protecting individuals' privacy from potential threats. The amended penalty and regulatory regime is intended to force businesses to re-assess their privacy processes and encourage a proactive approach to data privacy and security.
The key takeaways for businesses are:
- The amendments introduce increased maximum penalties for "serious" or "repeated" interferences with privacy. As a result, the courts will have substantial discretion to order large penalties. Questions remain on what constitutes a "serious" or "repeated" interference with privacy. However, the message is clear that businesses need to review their data handling practices to ensure they are up to date and staff understand the applicable requirements.
- More overseas businesses may be subject to the Privacy Act, as the amendments remove the pre-condition for the extraterritorial application of the Privacy Act that an overseas entity collect or hold an individual's personal information in Australia at or before the time of the alleged breach. Instead, the Commissioner will only need to show that an overseas entity is carrying on business in Australia in order to enforce the Privacy Act against it. The Commissioner had adopted a broad interpretation of when information was collected or held in Australia in any event, which may suggest the amendment does not significantly change the risk for overseas businesses. It does reinforce, however, that if you are an overseas company that targets the Australian market, you are likely to be subject to the Privacy Act. You should assess whether your policies and processes are compliant with the Privacy Act, and address any gaps, to avoid enforcement action.
- The Commissioner will be able to issue infringement notices imposing civil penalties on businesses for non-compliance with requests to provide information, to answer questions or to produce documents or records, instead of only having recourse to criminal proceedings. This will make it easier for the Commissioner to impose penalties for relatively minor infringements.
- The amendments enhance the Commissioner's existing power to make a declaration that a business must take specified steps to rectify conduct which led to a breach, by empowering the Commissioner to direct businesses to engage an independent and suitably qualified adviser to assist with this process at the business' own cost.
- The Commissioner will have the power to pre-emptively assess a business' compliance with the Notifiable Data Breach (NDB) scheme, even where no breach has occurred, and request information and documents for that purpose. Businesses should ensure that staff know that records relating to the NDB scheme could be requested by the Commissioner for review.
- The Commissioner will also have the ability to make disclosures in the public interest and to publish the results of NDB scheme assessments and independent reviews on its website. This means the Commissioner will be able to "name and shame" businesses who do not measure up and also creates a risk of disclosure of information which a business would prefer to keep confidential.
In more detail
Increased maximum penalties
The increased maximum penalties align with the recently amended maximum penalties for breach of key parts of the Competition and Consumer Act 2010 (Cth) and the Australian Consumer Law. The multi-limbed maximum penalties for corporations, which import complex and broad concepts of "benefit", "adjusted turnover" and "breach turnover period", the former including local revenue of the corporate group and latter being subject to a 12 month minimum period, create a material risk of significant penalties being imposed on businesses where they engage in a "serious" or "repeated" interference with privacy.
The Commissioner's enhanced enforcement powers
The Commissioner's new power to issue infringement notices for a failure or refusal to provide requested information or documentation, or answers means that, rather than pursue protracted criminal proceedings for any minor non-compliance (which has to date been the Commissioner's only option), the Commissioner can fine businesses that fail to cooperate before invoking criminal liability:
- minor non-compliance will attract a civil penalty of 60 penalty units (currently, AUD 13,320);
- a system of conduct or pattern of behavior resulting in multiple failures or refusals, will attract a criminal penalty of 300 penalty units (currently, AUD 66,600).
Enhanced sharing powers
The amendments enhance the Commissioner's powers to exchange information with enforcement bodies, alternative complaint bodies, State/Territory authorities and overseas privacy authorities, in order to enhance collaboration.
Sharing will be permitted as long as certain broad criteria are met; the sharing needs to be reasonable, necessary and proportionate in the exercise of the powers or performance of functions and duties of the Commissioner.
This will allow the Commissioner to highlight to another regulatory body any data breach which meets the criteria. As such, businesses should be cognizant that much, if not all, of the information that the Commissioner and her office collect could be passed on to another authority, which could give rise to regulatory action in other jurisdictions. Businesses may want to emphasize this point when training their staff.
These changes are part of the increasing trend to empower enforcement bodies to share information.
Public interest disclosures
The amendments enable the Commissioner to make public interest disclosures of information acquired in the course of exercising powers or performing functions or duties under the Privacy Act. Various factors must be considered in determining whether a disclosure is in the public interest, such as whether it will or is likely to disclose an individual's personal information or confidential commercial information, and the potential prejudicial impact on an investigation or enforcement related activities.
This heightens the risk of negative PR arising from a privacy compliance failure.
NDB scheme: information gathering and compliance assessments
The amendments empower the Commissioner to:
- conduct a pre-emptive assessment of a business' data breach response protocols and processes
- give notices requiring the provision of specified kinds of information and/or documents, or the answering of questions, relating to actual or suspected eligible data breaches or a business's compliance with the NDB scheme
- take and copy documents, and keep them for any period necessary to assess the business compliance with the NDB scheme
- publish information relating to such an assessment and determinations on the Commissioner's website.
The Commissioner will also be able to require a business to give notifications - directly to individuals or publicly - of conduct that has been determined to constitute an interference with privacy of individual, and prove to the Commissioner that these notifications have been given.
Power to require engagement of an independent advisor
The amendments empower the Commissioner, after finding that there has been an interference with an individual's privacy, to require that respondent engage an independent and suitably qualified adviser to assist and advise on remediation steps and other relevant matters, at the respondent's own costs. The advisor would report to the Commissioner, and the Commissioner could publish outcomes on its website.
Eligible data breach notice requirements
The amendments require businesses to include in their data breach notifications details of the particular kinds of information that are subject to the breach, purportedly to enable the Commissioner to make a more comprehensive assessment of the risk of harm to individuals and whether the business' proposed response steps are sufficient.
This requirement may be challenging, as these details may not be immediately apparent (nor reliable) when the breach is first discovered. The situation may change as the business' investigation of the breach unfolds.
The amendments will commence from the day after the amending legislation receives Royal Assent, although certain provisions will have some retrospective implications (e.g. the Commissioner's information sharing power will extend to documents and information obtained prior to the amendments, and the Commissioner will be able to request information and documents relating to data breaches that pre-date commencement).
Regarding the wider review of the Privacy Act, the Attorney-General's Department has repeatedly reiterated that its report on the review will be presented by the end of the year. If this is the case, we can expect to see more momentum and developments in this space in early 2023, including draft legislation.
Note: monetary figures given in this alert for penalties stated to be based on penalty units reflect the value of a Commonwealth penalty unit as at 24 November 2022 (i.e. AUD 222). The value of a penalty unit is expected to rise to AUD 275 on 1 January 2023 and then increase again on 1 July 2023, with indexation every 3 years thereafter.
With thanks to Chloe Danvers (General Associate) and Liz Grimwood-Taylor (Senior Knowledge Lawyer) for their assistance with this alert.