The Bill, if enacted, will significantly strengthen Australian privacy laws including: providing the Office of the Australian Information Commissioner (OAIC) greater information sharing and enforcement powers to resolve privacy breaches; expanding the Australian Communications and Media Authorities (ACMA) ability to share information; strengthening the Notifiable Data Breaches scheme; and increasing penalties under the Privacy Act 1988 (Cth) (the Australian Privacy Act) for data breaches.
What drove the introduction of the Bill?
The Bill follows two recent major Australian data breaches, despite Australia’s privacy laws already being under comprehensive review. These breaches are:
- Optus, a telecommunications provider, had their current and former customers’ personal information, including ID documents such as passport numbers compromised as part of a cyber-attack, on 22 September 2022.1
- Medibank, one of Australia’s largest healthcare providers, had all their customers’ data, including health claims, accessed and potentially stolen from their system as part of a cyber-attack, on 4 November 2022.2
The Australian Attorney-General, upon introducing the Bill stated:
“Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It's not enough for a penalty for a major data breach to be seen as the cost of doing business. We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour.”3
What does the Bill include?
- Anyone other than a body corporate
- The Bill increases the penalty for “serious or repeated” interferences with privacy to AU$2.5 million.
- Body corporate
- An amount not exceeding the greater of:
- AU$50 million;
- three times the value of the benefit obtained; or
- if the court cannot determine the value of the benefit, 30% of their adjusted turnover in the relevant period.
- An amount not exceeding the greater of:
The Bill creates a separate criminal offence if a body corporate engages in conduct which constitutes a system of conduct or pattern of behaviour.
The new penalties are a significant increase from the current maximum penalties under the Australian Privacy Act of AU$444,000 for persons other than a body corporate, and AU$2.2 million for body corporates. These increased penalties are consistent with the new maximum penalties under the Australian Consumer Law (ACL) which passed in both houses in Australian Parliament in October 2022 as part of the Treasury Laws Amendment (More Competition, Better Prices) Bill 2022.
By way of comparison internationally:
- Article 83 of the EU’s General Data Protection Regulation (GDPR), the maximum fine for a similar breach is 20 million euro (approx. AU$30.8 million), or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher; and
- New Zealand’s comparable penalty is a maximum fine of NZ$10,000 or, if an official complaint if made to the Human Rights Tribunal damages up to NZ$350,000.00.4
The Australian Privacy Act applies to businesses that collect or hold personal information in Australia. Critically, the Bill, however, seeks to extend the jurisdiction of the Australian Privacy Act to all entities that simply “carry on a business in Australia.” Meaning more foreign entities, including those which operate offshore, will be subject to the Australian Privacy Act (including the new penalty provisions). As explained in the Explanatory Memorandum this amendment is to “ensure foreign organisations that carry on a business in Australia must meet the obligations under the Act, even if they do not collect or hold Australians’ information directly from a source in Australia.”
Further the amendment has been drafted to “reflect that in the digital era, organisations can use technology such that they do not collect or store information directly from Australia… [which] otherwise [would] be carrying on a business in Australia, and should be required to meet the obligations under the Privacy Act.” This amendment seeks to mirror the ACL which already extends to “Australian incorporated bodies or those carrying on business in Australia.”
Extra-territorial provisions like this are not new to global privacy and data security laws. For example, the New Zealand Privacy Act also applies to businesses in the course of “carrying on business in New Zealand” and the GDPR even more broadly applies to businesses who ‘target’ individuals in the EU.
Enhanced Enforcement Powers
Beyond the imposition of obviously much higher financial penalties, and expanding the Australian Privacy Act’s jurisdiction, the Bill is looking to increase the enforcement powers of the OAIC Commissioner. For example:
- expanding the types of declarations that the Commissioner can make in a determination at the conclusion of an investigation; providing the Commissioner with new powers to conduct assessments; providing the Commissioner new infringement notice powers to penalise entities for failing to provide information without the need to engage in protracted litigation; and
- strengthening the Notifiable Data Breaches scheme to ensure the Commissioner has comprehensive knowledge of the information compromised in an eligible data breach to assess the particular risk of harm to individuals.5
Enhanced Information Sharing Powers for the OAIC and ACMA
The Bill will also enhance the OAIC’s ability to share information, for example:
- clarifying the Commissioner can share information gathered through the Commissioner’s information functions, freedom of information functions and privacy functions;
- providing the Commissioner with the power to disclose information or documents with an enforcement body, an alternative complaint body, and a State, Territory or foreign privacy regulator for the purpose of the Commissioner or the receiving body exercising their powers, or performing their functions or duties; and
- providing the Commissioner with the power to publish a determination or information relating to an assessment on the Commissioner’s website; and disclose all other information acquired in the course of exercising powers or performing functions or duties if it is in the public interest.6 The ACMA’s ability to share information to any non-corporate Commonwealth entity responsible for enforcing a Commonwealth law will be expanded.
What does this mean for New Zealand businesses?
As the Bill seeks to broaden the extra-territorial jurisdiction of Australian privacy laws, New Zealand entities doing business in Australia must ensure their privacy practices are up-to-date and compliant with the new amendments if enacted.
This is particularly important as the strengthening of the penalty provisions and the expansion of enforcement powers, signals that Australia will not only have higher expectations of privacy and security practices, but also that there is going to be a more active and intense attitude towards enforcement. We can expect the OAIC to actively exercise its new powers, including applying to the Federal Court, or Federal Circuit Court, to enforce the penalty provisions.
As noted, the proposed amendments bring the Australian Privacy Act into line with the recently amended Australian Consumer Law. This may be a further indication that Australian enforcement agencies will be entering a new and stricter enforcement phase, in Australian consumer law more broadly, as well as in privacy and security practices.
New Zealand businesses currently operating or planning to enter the Australian market should proactively consider their privacy practices, including whether their data protection and information security systems are commensurate to the increased level of legal, regulatory and financial risk.
If you have any questions about the matters raised in this article, please get in touch with the contacts listed, or your usual Bell Gully adviser.
1 Optus Australia “Optus notifies customers of cyberattack compromising customer information” (press release, updated 22 September 2022).2 Medibank Australia “Cyber event updates and support” (press release, updated 08 November 2022). 3 Attorney-General Office “Tougher penalties for serious data breaches” (press release, 22 October 2022).
4 See Privacy Act 2020 (NZ) s 133(3) and ss 97-111. 5 Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Explanatory Memorandum) at 3.6 Ibid at 4.