In December 2019, the Attorney-General announced that the Australian Government would conduct a review (the Review) of the Privacy Act 1988 (Cth) (the Privacy Act). The Review aimed to investigate the effectiveness of Australia’s current data protection regime to ensure it “empower[s] consumers, protect[s] their data and best serve[s] the Australian economy”. Since then, the Attorney General has published an Issues Paper in October 2020 (the Issues Paper) and a Discussion Paper in October 2021 (the Discussion Paper) and conducted several rounds of public consultations. This series from Gilbert + Tobin’s Technology + IP team will guide you through the key issues that have been raised by the Review.
Changes to Penalties and OAIC Powers
Yesterday the Attorney-General, Mark Dreyfus, tabled the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Bill) in Parliament. The Bill covers four key objectives:
- to significantly increase penalties for serious or repeated privacy breaches;
- to give the Office of the Australian Information Commissioner (OAIC) enhanced powers to request information and conduct compliance assessments of the notifiable data breach regime;
- to give the OAIC new enforcement powers, allowing the OAIC to require entities to conduct external reviews of their internal procedures and to publish notices about specific privacy breaches to affected individuals; and
- to introduce new information sharing powers for the OAIC and the Australian Communications and Media Authority (ACMA).
The Bill is being fast tracked in response to the Optus and Medibank data breaches. It is the first legislation that has been tabled in Parliament in connection with the Review.
Current position under the Privacy Act
Currently, under the Privacy Act, the maximum penalty that can be applied to a body corporate for a serious interference with the privacy of an individual, or a repeated interference with the privacy of one or more individuals, is $2.22 million (or $2.75 million after the upcoming increase to the Commonwealth penalty unit).
In November last year, the previous Government released an exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (the Online Privacy Draft Bill). Under this draft legislation, the maximum penalties for privacy breaches would have increased to the greater of:
- $10 million; and
- three times the value of any benefit obtained (directly or indirectly) from the contravention; or
- if the value of the benefit cannot be ascertained, 10 per cent of the annual turnover of the organisation.
The Online Privacy Draft Bill was not pursued by the new Government. However, many elements of the Online Privacy Draft Bill, such as proposed changes to the extraterritoriality provisions and new infringement notice powers for information gathering were adopted by the Bill.
Currently, the OAIC’s powers to obtain information about an eligible data breach under the notifiable data breach regime are limited to the information the entity discloses in its statement to affected individuals. To obtain more detailed information, the OAIC would need to open a formal investigation against the entity, and exercise its information request powers in connection with the investigation process.
Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022
The Bill increases the maximum penalty for a body corporate for serious or repeated privacy breaches to whichever is the greater of:
- $50 million;
- if a court can determine the value of the benefit that the body corporate (and its related bodies corporate) directly or indirectly obtained from the contravention – 3 times the value of that benefit; or
- if the court cannot determine the value of that benefit - 30% of the adjusted turnover of the body corporate during the breach turnover period (minimum 12 months) for the contravention.
It is also worth noting that the Bill does not propose any change to the threshold trigger for the penalties (that is, the serious or repeated interference with privacy), it just amends the penalties that apply.
New OAIC powers for eligible data breaches
- Broad powers to request information about an eligible data breach – The Bill introduces new powers for the OAIC to request information about actual or suspected eligible data breaches or the entity’s compliance with the Privacy Act’s eligible data breach regime. Notably, the Bill does not require the OAIC to give entities a reasonable amount of time to produce relevant information and the OAIC is entitled to retain possession of the materials for any period that is necessary to assess an entity’s compliance with the notifiable data breach regime. The only mechanism for resisting disclosure of materials (provided by the statute) is procuring a certificate from the Attorney-General certifying that production of the material would be contrary to the public interest.
- New powers for OAIC to conduct an assessments of compliance with the notifiable data breach scheme – The Bill gives the OAIC the right to conduct an assessment of an entity’s ability to comply with the notifiable data breach scheme. This assessment may include a review of whether an entity has appropriate procedures in place to assess suspected eligible data breaches and provide the required notices. The OAIC is entitled to conduct this assessment at any time.
New information sharing powers
- New information sharing powers for the OAIC – The Bill gives the OAIC new powers to share information and documents with: (i) other authorities (e.g. enforcement bodies, alternative complaint bodies and privacy regulators), for the purpose of exercising (or enabling the receiving authority to exercise) its powers, functions or duties; and (ii) with any third parties or publish to the general public, where information sharing is in the public interest. There are a number of factors that the OAIC must consider before it discloses information in the public interest, but the Bill does not include any notification process for the OAIC to notify entities before their information is disclosed and it does not include any avenues to object to this disclosure.
- Infringement notices for failures to provide information – Under the Bill, the penalty for failure, without a reasonable excuse, to give information, answer a question or produce a document where required under the Privacy Act to do so, was repealed and replaced with a civil penalty of $66,600 for bodies corporate (or $82,500 based on the incoming penalty unit values). The Bill also allows the OAIC to pursue these penalties by issuing an infringement notice, which will be a much more streamlined way for the OAIC to exercise this penalty for failure to provide information.
- Penalties for systemic failures to provide information - The Bill also introduces a new offence for bodies corporate that engage in a “system or conduct or a pattern of behaviour” that results in two or more failures to give information, answer a question or produce a document where required under the Privacy Act to do so. The penalty for this new offence is also set at $66,600 (or $82,500 after the penalty unit increase) for bodies corporate, but as a contravention is a criminal offence, the OAIC has the ability to refer contraventions to the Commonwealth Director of Public Prosecutions.
- Expanded powers for the ACMA to share information with non-corporate Commonwealth entities - The ACMA has the power to share information with a list of government authorities where that information would assist the government authority to perform or exercise any of its function or powers. The Bill proposes to expand that power to allow the ACMA to share information with any non-corporate Commonwealth entity responsible for enforcing a Commonwealth law (this would include the OAIC). The power will apply to all information held by the ACMA regardless of when that information was acquired by the ACMA.
- Extraterritoriality of the Privacy Act – Under the existing regime, the Privacy Act applies to acts done or practices engaged in outside of Australia if the entity has an “Australian link”. One of the ways an entity can be classified as having an Australian link, is if it: (1) “carries on business” in Australia; and (2) collects or holds Australians’ information directly from a source in Australia. The Bill proposes to remove the second limb of this test. The Second Reading speech for the Bill states that this amendment has been suggested “to ensure Australia’s privacy laws remain fit for purpose in a globalised world, and to ensure the Privacy Act can be enforced against global technology companies who may process Australians’ information on servers offshore” – which can only be interpreted as a veiled reference to the OAIC’s proceedings against Meta in respect of Cambridge Analytica.
- New powers for the OAIC to make determinations following the investigation of complaints – The Bill proposes two new tools that the OAIC can use in its determinations following the investigation of a complaint. The OAIC can order an entity to engage an independent adviser to review the acts or practices that were the subject to the complaint and the entity’s proposed remediation of the complaint. The Bill also proposes that the OAIC can require entities to prepare a statement about the conduct that was the subject of the complaint and either distribute the statement to the complainants or publish the statement.
Discussion Paper Proposals
The Discussion Paper’s proposed reforms to the penalties regime and the notifiable data breach regime were not adopted by the Bill. It is unclear whether the Attorney-General will still consider these proposals in the broader Review, or whether the recent experience with high-profile data breaches in Australia has triggered a move away from these positions.
The Discussion Paper proposed that the Privacy Act should introduce a civil penalty regime for infringements that are not serious or repeated. It proposed the following proposed additional tiers to cover less serious conduct than that under the current regime for serious and repeated interferences with privacy (Tier 1):
- (Tier 2) a new mid-tier civil penalty provision for any interference with privacy, with a lesser maximum penalty than for a serious and repeated interference with privacy; and
- (Tier 3) a series of new low-level and clearly defined breaches of certain APPs with an attached infringement notice regime – similar to those that exist for ASIC and ACCC.
On notifiable data breaches, the Discussion Paper considered whether entities should have an obligation to take reasonable steps to mitigate the adverse impacts or risk of harm that may arise for individuals as a result of a data breach. For example, proposal 27.1 of the Discussion Paper considered amending subsections 26WK(3) and 26WR(4) to the effect that a statement about an eligible data breach must set out the steps the entity has taken or intends to take in response to the breach, including, where appropriate, steps to reduce any adverse impacts on the individuals to whom the relevant information relates.
The Discussion Paper stressed the need for greater regulatory cooperation in enforcing matters involving the mishandling of personal information. This issue has been, in part, addressed by the Bill in its robust information sharing provisions.
Privacy Act Enforcement and Penalties
Although the Bill grants the OAIC new powers to be able to request information about the data breaches and conduct compliance assessments, it does not directly allow the OAIC to take action to resolve data breaches. Contrast this with the Security of Critical Infrastructure Act 2018 (Cth) which allows the Commonwealth to issue directions and intervene in “serious cyber security incidents” which relate to certain classes of critical infrastructure assets. The Bill makes it clear that the OIAC’s role is to monitor and enforce the Privacy Act, rather than wade into cyber security incidents at a technical level.
In terms of penalties, the Bill proposes greater penalties than many commentators had previously predicted or advocated for. It is clear that the recent high-profile data breaches in Australia has provoked the Government to take a harder line than has been previously discussed as a part of the reform process. However, given that the OAIC has never imposed a penalty under the Privacy Act, it remains to be seen what difference these increased penalties will actually make.
What is missing are any reforms designed to assist or inform companies on how they can best protect themselves against privacy breaches, and comply with the Privacy Act. There is an inherent level of uncertainty in any principle-based laws, and reforms designed to give the OAIC a more active role in assisting and working with business would go much further in improving overall compliance with the Act than larger penalties.
Authors: Andrew Hii, Claire Harris, Joy Kim and Ali Khan