Archive: December 2022

1
New Privacy Enforcement Act commences in Australia
2
Australia passes Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022

New Privacy Enforcement Act commences in Australia

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

As of yesterday, the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Privacy Enforcement Act) is now in effect after receiving Royal Assent on 12 December 2022.

As we have previously shared, the Privacy Enforcement Act increases the maximum penalties for serious or repeated privacy breaches. For body corporates/organisations this increases the penalty from the current $2.22 million to whichever is the greater of:

  • $50 million;
  • if the court can determine the value of the benefit that the body corporate, and any related body corporate, have obtained directly or indirectly and that is reasonably attributable to the conduct constituting the contravention—3 times the value of that benefit;
  • if the court cannot determine the value of that benefit—30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention.

The Act also provides the Australian Information Commissioner with greater enforcement powers to enable privacy breaches to be resolved more quickly and efficiently through more effective information-sharing powers.

While the Privacy Act review has been ongoing since 2020 with an increase to the maximum penalties long-expected, the Privacy Enforcement Act was a quick response to recent major data breaches. Attorney-General, Mark Dreyfus stated that “significant privacy breaches in recent months have shown existing safeguards are outdated and inadequate. These reforms make clear to companies that the penalty for a major data breach can no longer be regarded as the cost of doing business”.

This is just the first step in what is likely to be significant amendments to the Privacy Act that will follow from the Attorney General’s Department’s ongoing review.

We expect that the regulator will start to take a far firmer approach to companies failing to secure their customer’s personal information and now carries a big stick to use in that process.

Australia passes Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

Earlier this week (on 29 November), the Australian Parliament passed the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) which was introduced to Parliament on 26 October 2022.

The Bill amends the following:

  • Privacy Act 1988 to expand the Australian Information Commissioner’s enforcement and information sharing powers and increase penalties for serious or repeated interferences with privacy;
  • Australian Communications and Media Authority Act 2005 to enable the Australian Communications and Media Authority to disclose information to a non-corporate Commonwealth entity that is responsible for enforcing one or more laws of the Commonwealth; and
  • Australian Information Commissioner Act 2010 to allow the Australian Information Commissioner to delegate certain functions or powers.

The biggest result is the increase to maximum penalties for serious or repeated privacy breaches from the current $2.22 million for organsiations to an amount not more than the greater of the following:

  • $50 million;
  • if the court can determine the value of the benefit that the body corporate, and any related body corporate, have obtained directly or indirectly and that is reasonably attributable to the conduct constituting the contravention—3 times the value of that benefit;
  • if the court cannot determine the value of that benefit—30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention.

We will post some answers to key FAQs about these amendments shortly.  For example – what is qualified as a ‘serious and repeated’ interference of an individual’s privacy and how we consider the penalties may be applied – i.e. how a company’s adjusted turnover may be determined.

Australian Information Commissioner, Angelene Falk said the changes create “closer alignment with competition and consumer remedies” under the EU GDPR and “facilitate engagement with domestic regulators and our international counterparts to help us perform our regulatory role efficiently and effectively.” Notably, it also brings the penalties in line with recent changes to the penalties under the Australian Consumer Law regime.

The penalty increase is intended to act as a powerful deterrent, so organsiations no longer see privacy risk as a ‘risk of doing business’.

Copyright © 2023, K&L Gates LLP. All Rights Reserved.