Increased penalties for breaches among major amendments to Privacy Act

On 12 December 2022 the Privacy Act 1988 (Cth) (the Act) was updated, implementing the most significant reforms to privacy laws in Australia since the notifiable data breaches scheme commenced in 2018. The Government’s intention for the bill is to provide more confidence among Australians that their data is adequately protected. The recent Medibank and Optus breaches were referenced in the second reading speech as “examples of privacy breaches causing serious financial and emotional harm to Australians.” For further information on recent high profile data breaches in Australia, see our article here.

A major amendment is the increase in penalties for “serious or repeated interferences with privacy” by organisations, and the provision of further information sharing and enforcement powers to the Australian Information Commissioner under the Act.

The maximum penalty for a serious or repeated privacy breach has risen from just $2.22M to no more than the greater part of:
  • $50M; or

  • Three times the value of any benefit derived from a company’s misuse of data if a Court can determine the value of that benefit, or if that benefit cannot be determined, 30 per cent of a company’s domestic turnover within the relevant period of the contravention (minimum 12 months).

One of the critical changes is broadening the scope of the ‘Australia link’ for extra-territorial entities. The amendments lower that threshold by removing the need for the entity to be required to hold personal information that has been collected or held in Australia.

Other amendments to the Act include:
  1. Strengthening the Notifiable Data Breaches Scheme - empowering the Commissioner to request information and documents from an Australian Privacy Principles (APP) entity about an actual or suspected eligible data breach and conduct assessments of an entity's compliance with the scheme.

  2. New information sharing powers between the Privacy Commissioner and other authorities.

  3. Increased enforcement powers – the commissioner can now require that the person or entity engage an independent adviser to review the acts or practices that were the subject of the complaint, and may also require the person or entity to prepare and publish a statement setting out various details in relation to the conduct and any steps taken to remediate an interference with privacy.

Commentators have been critical of the fact that the term “serious” and “repeated” inference is undefined; there is a lack of clarity as regards the powers of enforcement, especially where, as a result of the amendments to the Act, the significant increase in penalties heightens the exposure for organisations caught by the Act.

A further consequence of the amendments is that it brings into scope multinational organisations that carry on business in Australia where they processes any personal information, rather than Australian personal information.

Companies should reconsider whether they now fall within the scope of the Act and update compliance procedures accordingly.

Risk management and insurance for breaches of privacy law

Organisations required to comply with the Privacy Act should take heed of policies, measures, and systems in place to protect and manage private information as well as response plans in the event of a privacy breach.

Legal costs incurred in responding and complying with enquiries brought by regulatory authorities such as the Information Commissioner are insurable via Statutory Liability insurance and Cyber Insurance policies.

For further information on risk management relating to privacy legislation, please contact us via the form below.

Stay informed with our latest articles

* indicates required