Significant changes to the Privacy Act are expected by the end of the year. A newly elected government combined with a spate of high-level cyber security incidents have brought privacy protection reforms into focus. In the wake of the Optus and Medibank data breaches, the government is introducing a bill that will significantly increase the financial penalties for breaching privacy protections as well as regulator powers.

These proposed changes should act as a wake-up call for businesses to get their personal information handling practices to avoid the risk of significant fines.

Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022

The Australian Government has introduced the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill). The Bill amends the Privacy Act 1988 (Privacy Act), the Australian Information Commissioner Act 2010 and the Australian Communications and Media Authority Act 2005. If passed, the Bill will:

  1. increase penalties under the Privacy Act;
  2. expand the Privacy Act’s extraterritorial jurisdiction, and;
  3. provide the Office of the Australian Information Commissioner (OAIC) and Australian Communications and Media Authority (ACMA) with greater powers.

Changes to Penalties

The Bill proposes that the maximum penalty for serious and/or repeated privacy breaches by a body corporate be the greater of:

  • $50,000,000;
  • three times the value of the benefit obtained directly or indirectly by the body corporate as a result of the contravention (as determined by the court); or
  • 30% of a company’s adjusted turnover in a relevant period.

Amendments to Jurisdiction

The Bill amends the extraterritorial jurisdiction of the Privacy Act to ensure that foreign entities carrying on a business in Australia are required to meet the obligations under the Privacy Act.

Under the Bill, the Privacy Act obligations must still be met even if the business does not collect Australian’s information directly from an Australian source.

Increased Powers to the OAIC and ACMA

The Bill also introduced proposed amendments to the OAIC and ACMA’s scope of power.

These proposals include:

  • strengthening the Notifiable Data Breaches Scheme by allowing the OAIC to obtain information or documents in relation to actual or suspectable data breaches;
  • giving the OAIC the power to issue infringement notices and penalise entities that fail to provide information to the OAIC;
  • increasing the power of the OAIC and ACMA to share information with each other and other authorities;
  • giving the OAIC the power to disclose information on data breaches if it is in the public interest; and
  • expanding the types of declarations that the OAIC can make in determination at the conclusion of an investigation.

Sainty Law can help you with reviewing your current personal information handling practices or develop a robust data breach procedure for your business so you can anticipate the Privacy Act Reforms and the other regulatory and best practice changes that are underway.

Contact us to speak to one of our experienced privacy lawyers.