Bill to strengthen Australian privacy laws passes, how should NZ entities respond?

2 December 2022

The Australian Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Cth) (the Bill) passed through both houses of the Australian Parliament on 28 November 2022 and will now be presented to the Governor-General for Royal Assent.

The Bill was triggered by a number of data breaches that occurred recently in Australia, one of which resulted in an AU$15 million ransom1, and another which resulted in 10,200 individuals having their personal information leaked online.2

As noted in our previous publication (see here), the Bill seeks to broaden the extra-territorial jurisdiction of Australian privacy laws, so New Zealand entities doing business in Australia should take note of the coming changes. This is particularly important as the strengthening of the penalty provisions, and the expansion of enforcement powers, signals that Australia will not only have higher expectations of privacy and security practices, but also that there is going to be a more active and intense attitude towards enforcement.

The Bill will significantly strengthen Australian privacy laws by:

  • providing the Office of the Australian Information Commissioner (OAIC) greater information sharing and enforcement powers to resolve privacy breaches;
  • expanding the Australian Communications and Media Authorities (ACMA) ability to share information;
  • strengthening the Notifiable Data Breaches scheme; and
  • increasing penalties under the Privacy Act 1988 (Cth) (the Australian Privacy Act) for data breaches.

These increased penalties will see the maximum penalty for serious or repeated privacy breaches increased from AU$2.22 million to whichever is the greater of:

  • AU$50 million;
  • three times the value of any benefit obtained through the misuse of information; or
  • 30% of a company's adjusted turnover in the relevant period.

The higher penalties and new powers will come into effect the day after the Bill receives Royal Assent from the Governor-General.

At this stage it is not confirmed when enactment of the Bill will take place, however we anticipate this will occur ahead of the comprehensive review and proposed overhaul of Australia’s Privacy Act, which is currently being finalised by the Attorney-General’s office. Therefore we expect the Bill to be enacted, and the OAIC to start exercising its new powers, early next year.

New Zealand businesses currently operating or planning to enter the Australian market will need to prepare for this change, and should start to proactively consider their privacy practices - including their data protection and information security systems.

If you have any questions about the matters raised in this article, please get in touch with the contacts listed, or your usual Bell Gully adviser.

1 Medibank hacker says ransom demand was US$10m - The Guardian2 Hackers have released stolen Medibank data on the dark web. What does this mean for customers? - ABC News

Disclaimer: This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.