The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) has now passed both Houses of Parliament and will become law imminently, commencing the day after it receives Royal Assent. The Attorney-General tabled the Bill last month following the unprecedented data breaches affecting Optus and Medibank.
Passing of the Bill comes after the Senate Standing Committee on Legal and Constitutional Affairs (Senate Committee) last week published its report on the Bill (the Senate Report), which effectively rubber-stamped the reform with no substantive amendments.
Objectives of the Privacy Legislation Amendment Bill
As we previously covered, the Bill covers four key objectives with respect to the Privacy Act 1988 (Cth) (the Privacy Act):
- to significantly increase penalties for serious or repeated privacy breaches;
- to give the Office of the Australian Information Commissioner (OAIC) enhanced powers to request information and conduct compliance assessments of the notifiable data breach regime;
- to give the OAIC new enforcement powers, allowing the OAIC to require entities to conduct external reviews of their internal procedures and to publish notices about specific privacy breaches to affected individuals; and
- to introduce new information sharing powers for the OAIC and the Australian Communications and Media Authority (ACMA).
In addition, the Bill also makes small but significant tweaks to the Privacy Act which widen its extraterritorial application. This was a focus of the Senate Report and is discussed further below.
While already in the crosshairs of the ongoing review into the Privacy Act by the Attorney-General’s Department (AGD) (the Review), the subject matter of the Bill was considered imperative to legislate as soon as possible given the worsening cyber incident risk climate and the palpable public concern about the security of their personal information.
The Bill was referred to the Senate Committee for its inquiry and report. Notwithstanding the fairly expedited timeframe of less than a month, the Senate Committee received 32 submissions from the public and heard from more than a dozen stakeholders at public hearings.
On the whole, participating stakeholders were supportive of the Bill and saw it as commensurate with changing public expectations regarding the privacy and security of their personal information (more of which, it was noted, was being required to participate in contemporary Australian society).
While all relevant matters were explored in the Senate Report, ultimately it endorsed passing the Bill subject to only two recommendations, both of which related to the ongoing Review rather than the Bill itself:
- that section 13G of the Privacy Act be amended to define the terms ‘serious interference’ and ‘repeated’ interference; and
- that section 5B of the Privacy Act be considered further in terms of the appropriateness of including additional factors to constitute an ‘Australian link’.
Maximum penalty increase
The Bill strengthens section 13G of the Privacy Act, which currently outlines an offence for entities that, through an act or practice, seriously interfere with the privacy of an individual, or repeatedly interfere with the privacy of one or more individuals. Currently, the maximum penalty that can be applied to a body corporate for breach of the current section 13G is $2.22 million (or $2.75 million after the upcoming increase to the Commonwealth penalty unit).
The Bill increases the maximum penalty for a body corporate for serious or repeated interferences with privacy to an amount not more than the greater of:
- $50 million;
- if a court can determine the value of the benefit that the body corporate (and its related bodies corporate) directly or indirectly obtained from the contravention – 3 times the value of that benefit;
- if a court cannot determine the value of that benefit – 30% of the adjusted turnover of the body corporate during the breach turnover period (minimum 12 months) for the contravention.
Challenges with section 13G
Upgrading of the maximum penalties received broad general support, however, several challenges or shortcomings were identified:
- While multiple stakeholders commended the parity being built with comparative regimes (both domestically in other regulatory spaces, and internationally in the privacy space), the Law Council cautioned against attempts to mirror penalty calculation approaches adopted under the Australian Consumer Law that were still untested. The AGD, however, defended alignment and explained that there was an ongoing need to avoid siloed approaches to interrelated competition, consumer and privacy harms.
- Similarly, the utility of how the new penalty framework incorporated the concept of ‘benefit’ derived from an interference with privacy was questioned. Both the Law Council and the Business Council of Australia noted the difficulty in quantifying benefit derived from privacy breaches, as well as the greater propensity for privacy breaches to only produce adverse financial, commercial and reputational consequences. To this end, the AGD clarified that they had not intended to suggest that benefit to an entity arose in all instances. Instead, where no benefit exists (as distinct from when the benefit cannot be quantified), the first limb of $50m comes into play.
- Others noted that the increased penalties were too high, particularly as they would apply in several Privacy Act breach contexts (not just large data breaches), as well as the fact that they could be applied to small businesses or charitable organisations in certain circumstances. The Australian Privacy Commissioner, Angelene Falk, accepted that they would apply in a range of contexts, but noted that reliance on civil penalties would always be one of many enforcement options explored by the OAIC.
The above concerns were aired along with the suggestion that a tiered approach to penalties would lead to more scalable, balanced and effective outcomes. The AGD confirmed that a tiered approach was being considered as part of the broader Review, but also echoed Ms Falk’s comments in reminding the Senate Committee that tiered responses were already partially provided for in the range of enforcement options that the Privacy Act gives the OAIC.
Serious and repeated interference
Most stakeholder concerns regarding the increased penalties stemmed from the uncertainty surrounding the threshold triggers of ‘serious’ and ‘repeated’ interference, and how they would be applied. Neither concept is defined, nor is any non-exhaustive list of factors provided to guide compliance and enforcement efforts. Clarity is further frustrated by the lack of prior enforcement and legal precedent.
While this issue does of course predate the Bill, stakeholders argued that significantly increased penalties heighten the mandate for bringing clarity to section 13G. While the AGD said that it remains appropriate for the confines of both concepts to be largely determined through enforcement, they did also concur that additional clarity could be explored as part of the broader Review.
Ultimately, the Senate Committee concluded that the AGD ought to recommend defining the terms ‘serious interference’ and ‘repeated’ interference, and that the Australian Government should implement any such recommendation. While appearing to not form part of its formal recommendation, the Senate Report also encouraged that the drafting of section 13G be revisited in light of concerns about the use of the ‘benefits’ concept.
The Senate Report also explored safe harbours for organisations in respect of the maximum penalties, including arguments for and against their introduction. Those who provided support for safe harbour regimes argued that organisations that take reasonable steps to protect personal information should not be penalised, particularly in light of what are increasingly sophisticated and targeted cyber-attacks by criminal enterprises.
Opposition to safe harbour regimes pointed to the failed EU-US Privacy Shield as an example of how the mechanism, in practice, disincentivises the type of compliance posture needed to meet current public expectations of privacy and data protection. However, the Australian Information Industry Association contended that this was instead a matter of how any safe harbour regime was constructed, arguing that a robust regime would be more likely to incentivise positive privacy practices.
Extraterritoriality and ‘Australian link’
In addition to changes to the penalty regime, the Bill also strengthens the investigatory and enforcement powers of the OAIC. One such change is the repeal of paragraph 5B(3)(c), which provides that in order for an entity to have an ‘Australian link’ under that section, the entity must be collecting or holding personal information in Australia.
The Privacy Act will only apply to an act done, or practice engaged in, outside Australia, under the circumstances outlined in section 5B. The current paragraph 5B(3)(c) was claimed to be at odds with the desire to have Australian privacy laws that “remain fit for purpose in a globalised world, and to ensure the Privacy Act can be enforced against global technology companies who may process Australians’ information on servers offshore”.
Despite being supported by several stakeholders, the Law Council, Business Council of Australia and Digital Industry Group Incorporated each expressed concern that removing the paragraph (without otherwise replacing it) could lead to situations where acts and practices of no relevance to Australians or Australia could fall within the scope of the Privacy Act. For their part, the Law Council conceded that it ought not be a barrier to the Bill’s immediate passage, but should be considered as part of the Review. Like its first recommendation, the Senate Committee ultimately found that the concerns should not delay passage of the Bill and instead the AGD should examine the appropriateness of section 5B providing for any additional ‘Australian link’ as part of its Review.
Much more to come
While in the end, all substantive challenges and concerns were deferred for resolution in the broader Review, the Senate Report effectively captures the state-of-play for privacy regulation in a post-Optus / Medibank data breach environment. The intention of the Australian Government was always that the Bill, brought forward on account of these data breaches, would only be a taste of things to come. As Gilbert + Tobin have previously noted, increased penalties cannot be the end of the conversation when it comes to meeting current public expectations for privacy and incident redress.
Authors: Melissa Fai and Bryce Craig