On Monday 25 March, the Government announced plans to reform Australia’s privacy laws, as well as a significant boost to funding for Australia’s privacy regulator, the Office of the Australian Information Commissioner (OAIC).
While the announcement appeared to be directed toward concerns regarding the behaviour of technology and social media companies, the reforms to the penalty and enforcement regime would apply generally to all entities subject to the Privacy Act.
The proposed reforms include:
- an increase to the maximum penalty for serious and repeated interferences with privacy – up from $2.1m (for corporate entities) to the greater of $10m, 3 times the value of any benefit obtained through the misuse of the information and 10% of a company’s annual domestic turnover;
- additional enforcement powers for the OAIC to issue infringement notices to companies and individuals for a failure to undertake remedial action to resolve minor privacy breaches. The maximum fines proposed are $63,000 for companies and $12,600 for individuals;
- greater enforcement and remedial powers for the OAIC, including the ability to publicise specific breaches and notify affected individuals;
- a requirement that technology and social media companies cease using or disclosing an individual’s personal information on request;
- specific rules to protect the personal information of children and other vulnerable groups; and
- a new code for social media and online platforms dealing with how they may collect, use and disclose personal information.
In order to fund the expected increase in regulatory intervention by the OAIC under the revised regime, the Government also announced a $25 million increase to the OAIC’s funding over three years, to be announced in the forthcoming budget (in addition to the funding increase of $12.9 million the OAIC received in relation to the Consumer Data Right regime).
Showing more teeth
Monday’s announcement is consistent with global trends in privacy law reforms. Most notably, the 2018 introduction of the General Data Protection Regulation (GDPR) in Europe which raised the maximum penalties for privacy breaches to 2% of the annual global turnover of an offending company.
The introduction of an infringement notice regime is a noteworthy change as it would give the OAIC the ability to deter and financially punish breaches of the Privacy Act which do not amount to “serious or repeated” breaches, the relatively high threshold under existing rules.
New and increased penalties may do little to improve privacy practices, if the OAIC were to rarely seek their imposition. The increased funding to the OAIC and the proposed expansion to the OAIC’s powers suggest that the OAIC may be about to take a more aggressive stance when it comes to monitoring compliance with the Privacy Act – or at least that it will have more resources to do so.
Such a move would be in line with how other government regulators are altering how they utilise their powers and seek to fulfil their purposes. Following the Banking Royal Commission, regulators face increased scrutiny for regulatory failures and legislators have responded by handing out bigger sticks. Given the increasing volume, value and profile of data, it is unsurprising that attention has now turned to compliance in the technology and data spaces.
The proposed amendments to the Privacy Act follow increasing regulatory interest in the data economy. Both the preliminary findings of the ACCC’s world-first ‘Digital Platform’ inquiry (released 10 December 2018) which recommended greater resourcing for OAIC enforcement (among other changes) and the passage of the Government’s anti-encryption legislation in December 2018, have shown that regulating the digital frontier is front of mind for governments.
The Government has slated consultation for the proposed amendments in the second half of 2019, and noted that the draft legislation will include any final recommendations arising as a result of the ‘Digital Platforms’ inquiry due for release in June of this year.