Earlier this week (on 29 November), the Australian Parliament passed the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) which was introduced to Parliament on 26 October 2022.
The Bill amends the following:
- Privacy Act 1988 to expand the Australian Information Commissioner’s enforcement and information sharing powers and increase penalties for serious or repeated interferences with privacy;
- Australian Communications and Media Authority Act 2005 to enable the Australian Communications and Media Authority to disclose information to a non-corporate Commonwealth entity that is responsible for enforcing one or more laws of the Commonwealth; and
- Australian Information Commissioner Act 2010 to allow the Australian Information Commissioner to delegate certain functions or powers.
The biggest result is the increase to maximum penalties for serious or repeated privacy breaches from the current $2.22 million for organsiations to an amount not more than the greater of the following:
- $50 million;
- if the court can determine the value of the benefit that the body corporate, and any related body corporate, have obtained directly or indirectly and that is reasonably attributable to the conduct constituting the contravention—3 times the value of that benefit;
- if the court cannot determine the value of that benefit—30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention.
We will post some answers to key FAQs about these amendments shortly. For example – what is qualified as a ‘serious and repeated’ interference of an individual’s privacy and how we consider the penalties may be applied – i.e. how a company’s adjusted turnover may be determined.
Australian Information Commissioner, Angelene Falk said the changes create “closer alignment with competition and consumer remedies” under the EU GDPR and “facilitate engagement with domestic regulators and our international counterparts to help us perform our regulatory role efficiently and effectively.” Notably, it also brings the penalties in line with recent changes to the penalties under the Australian Consumer Law regime.
The penalty increase is intended to act as a powerful deterrent, so organsiations no longer see privacy risk as a ‘risk of doing business’.