Tag: law reform

1
New Privacy Enforcement Act commences in Australia
2
Australia passes Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022
3
Update from the Australia/New Zealand privacy conference and the changes to Australian privacy and cybersecurity laws
4
Attorney-General Mark Dreyfus pledges sweeping data privacy reforms
5
UK consults on new data protection regime
6
Get with the program – China’s new privacy laws are coming

New Privacy Enforcement Act commences in Australia

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

As of yesterday, the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Privacy Enforcement Act) is now in effect after receiving Royal Assent on 12 December 2022.

As we have previously shared, the Privacy Enforcement Act increases the maximum penalties for serious or repeated privacy breaches. For body corporates/organisations this increases the penalty from the current $2.22 million to whichever is the greater of:

  • $50 million;
  • if the court can determine the value of the benefit that the body corporate, and any related body corporate, have obtained directly or indirectly and that is reasonably attributable to the conduct constituting the contravention—3 times the value of that benefit;
  • if the court cannot determine the value of that benefit—30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention.

The Act also provides the Australian Information Commissioner with greater enforcement powers to enable privacy breaches to be resolved more quickly and efficiently through more effective information-sharing powers.

While the Privacy Act review has been ongoing since 2020 with an increase to the maximum penalties long-expected, the Privacy Enforcement Act was a quick response to recent major data breaches. Attorney-General, Mark Dreyfus stated that “significant privacy breaches in recent months have shown existing safeguards are outdated and inadequate. These reforms make clear to companies that the penalty for a major data breach can no longer be regarded as the cost of doing business”.

This is just the first step in what is likely to be significant amendments to the Privacy Act that will follow from the Attorney General’s Department’s ongoing review.

We expect that the regulator will start to take a far firmer approach to companies failing to secure their customer’s personal information and now carries a big stick to use in that process.

Australia passes Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

Earlier this week (on 29 November), the Australian Parliament passed the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) which was introduced to Parliament on 26 October 2022.

The Bill amends the following:

  • Privacy Act 1988 to expand the Australian Information Commissioner’s enforcement and information sharing powers and increase penalties for serious or repeated interferences with privacy;
  • Australian Communications and Media Authority Act 2005 to enable the Australian Communications and Media Authority to disclose information to a non-corporate Commonwealth entity that is responsible for enforcing one or more laws of the Commonwealth; and
  • Australian Information Commissioner Act 2010 to allow the Australian Information Commissioner to delegate certain functions or powers.

The biggest result is the increase to maximum penalties for serious or repeated privacy breaches from the current $2.22 million for organsiations to an amount not more than the greater of the following:

  • $50 million;
  • if the court can determine the value of the benefit that the body corporate, and any related body corporate, have obtained directly or indirectly and that is reasonably attributable to the conduct constituting the contravention—3 times the value of that benefit;
  • if the court cannot determine the value of that benefit—30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention.

We will post some answers to key FAQs about these amendments shortly.  For example – what is qualified as a ‘serious and repeated’ interference of an individual’s privacy and how we consider the penalties may be applied – i.e. how a company’s adjusted turnover may be determined.

Australian Information Commissioner, Angelene Falk said the changes create “closer alignment with competition and consumer remedies” under the EU GDPR and “facilitate engagement with domestic regulators and our international counterparts to help us perform our regulatory role efficiently and effectively.” Notably, it also brings the penalties in line with recent changes to the penalties under the Australian Consumer Law regime.

The penalty increase is intended to act as a powerful deterrent, so organsiations no longer see privacy risk as a ‘risk of doing business’.

Update from the Australia/New Zealand privacy conference and the changes to Australian privacy and cybersecurity laws

By Cameron Abbott, Rob Pulham and Stephanie Mayhew

We’ve just returned from the annual iapp Australia/New Zealand privacy conference held in Sydney this week, and it was a whirlwind. Even if you’re not one of around half of Australians affected by two of the biggest data breaches in our recent history, you’ll be aware a lot is changing – and a lot more is poised to change – in this space.

We’ll be blogging over the coming weeks about some of the key themes and changes your organisation will need to prepare for, including:

– new regulatory enforcement tools

– higher expectations of the way personal information is collected and secured, and when it needs to be destroyed

– potential removal of key exemptions such as the employee records exemption that your business may currently rely on,

– and of course the major penalty increases that seek to deter privacy breaches being viewed as ‘the cost of doing business’,

as Australia tightens the protections around the collection and use of Australians’ personal information.

Stay tuned!

Attorney-General Mark Dreyfus pledges sweeping data privacy reforms

By Cameron Abbott, Rob Pulham and Hugo Chow

Newly sworn-in Attorney-General Mark Dreyfus has announced that there is a range of “sweeping reforms” that are needed to be made to Australia’s privacy laws, and that he is committed to making these changes during the government’s first term in parliament.

Mr Dreyfus’ department is currently reviewing the feedback it has received from its discussion paper around the current review of the Privacy Act 1988 (Cth) (Privacy Act). Mr Dreyfus said that “Everyone agrees that the Commonwealth Privacy Act is out of date and in need of reform for the digital age”, and that he is hoping to bring a final report of reform proposals into the public domain in the coming months.

Privacy practitioners have for years been anticipating some level of reform as the winds of change have been blowing, but it has not been easy to predict what may change, or when. Proposed changes include strengthening individuals’ privacy rights, including creating a direct cause of action or statutory right for breaches of privacy laws; introducing specific codes for certain industries; and increasing maximum penalties which are significantly out of step with international jurisdictions and with other key Australian business laws.

However such changes are not likely to be welcomed by all, even if “everyone agrees” the Privacy Act is out of date and in need of reform, with business groups opposed to areas of proposed reform such as allowing individuals to bring claims directly against companies.

It is a fascinating precursor to what may become hotly contested reforms with significant impact on how businesses engage with their customers. It may be hard to tell but privacy nerds are on the edge of our seats as the reforms, much talked about, move a step closer to taking shape. There’s never been a better time to start paying attention.

UK consults on new data protection regime

By Norin McFadden and Claude-Étienne Armingaud

The UK government has unveiled its much-trailed plans to reform its data protection laws, outlined in a consultation document which is open for public comment until 19 November 2021.

Since Brexit was finalised at the start of 2021, the United Kingdom has retained much of the EU General Data Protection Regulation. The government’s plans, if implemented, would see the UK move away from the EU’s approach in several key ways, which may lead to trouble for the continuation of the adequacy decision granted by the EU in June. If terminated, the adequacy decision, currently permitting free flows of personal data between the EU and the UK, could cause increased costs and bureaucracy for businesses on both sides of the Channel to continue their data transfers. 

Some of the changes to the UK GDPR proposed in the consultation document are:

  • Making the legitimate interests lawful basis easier to use, by publishing a limited, exhaustive list of legitimate interests that organisations can use without having to complete a balancing test.
  • Removal of the right to human review of decisions made on the basis of solely automated data processing.
  • Introducing a fee for responding to subject access requests and allowing organisations to refuse to comply with requests at a lower threshold than “manifestly unfounded”, as allowed in the current legislation.

The proposals also introduce potential changes to the UK’s Privacy and Electronic Communications Regulations, including:

  • Increasing the current maximum penalty of £500,000 for breaches of the direct marketing regulations to the higher of 4% of global turnover or £17.5 million, thereby matching the maximum penalty under UK GDPR.
  • Removing the requirement for websites to obtain consent before serving some analytics cookies.
  • Extending the “soft opt in” for direct marketing to organisations other than businesses, such as charities and political parties.

Get with the program – China’s new privacy laws are coming

By Cameron Abbott and Ella Richards

The People’s Republic of China (PRC) passed the Personal Information Protection Law (PIPL) on Friday the 20th of August 2021. The new privacy regime strengthens the protection around the use and collection of personal data and introduces a new requirement for user consent.

The PIPL, closely resembling the European Union’s General Data Protection Regulation, prevents the personal data of PRC nationals from being transferred to countries with lower standards of data security; a rule that may pose inherent problems for foreign businesses. The PIPL was introduced following an increase in online scamming and individual service price discrimination – where the same service is offered at different prices based on a user’s shopping profile. However, while businesses and some state entities face stronger collection obligations, the PRC state security department will maintain full access to personal data.

Although the final draft of the PIPL is yet to be released, the new law is set to commence on the 1st of November 2021. Companies will face fines of up to 50 million yuan ($7.6 million USD), or 5% percent of their annual turnover if they fail to comply. For an in-depth discussion of the Draft PIPL released in August 2020, see our K&L Gates publication here.

Copyright © 2023, K&L Gates LLP. All Rights Reserved.