Businesses operating in Australia could face fines of $50m or more for privacy breaches under changes to the Privacy Act enacted this week. The Parliament has passed the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 to significantly increase penalties under the Privacy Act for serious or repeated privacy breaches, following several major data breaches affecting Australian organisations over recent months.
The significant increase in fines will have major ramifications for any business found to be in breach of their obligations. In this post, we summarise the new penalties and other changes introduced in the new legislation, and how your business should respond.
Privacy Act – what’s changed?
Under the amended Privacy Act, the maximum penalty that can now be applied for a serious or repeated privacy breach will be increased from $2.22 million to the greater of:
- $50 million;
- three times the value of any benefit obtained; or
- 30 percent of the company’s adjusted turnover in the relevant period.
The amendment also strengthens aspects of Australia’s privacy regime through greater powers for the Privacy Commissioner to resolve privacy breaches, seek information about notifiable data breaches, and to publish or share information about its investigations with other regulators.
The Bill will become law once assented to by the Governor-General.
While these changes have been prompted by several high-profile data breaches in recent months, the penalties apply to any serious or repeated breach of privacy, not only data breaches. This means a material failure to comply with any of the Australian Privacy Principles could attract the new penalties. The terms ‘serious’ and ‘repeated’ are not defined in the Privacy Act, and some commentators have raised concerns that it is hard to be sure whether conduct meets the standard. We expect these terms to be further defined as part of the broader reforms of the Privacy Act (anticipated in 2023 – more about his below).
The OAIC has also published guidance on these terms, which can be seen here.
There’s more to come
As mentioned above, in addition to introducing these new penalties the Government has also signalled it will complete its broader review of the Privacy Act by the end of 2022.
Some of the areas ripe for reform include:
- introducing an overall requirement that all handling of personal information must be “fair and reasonable”;
- removing or significantly limiting the small business and employee records exemptions;
- broadening the definition of ‘personal information’ to capture additional types of information such as IP addresses, device IDs and other technical information; and
- establishing greater individual rights to take legal action when privacy rights are infringed.
What should I do now?
With the increased penalties now a reality, and further tightening of privacy laws to come, now is a great time for organisations to commence uplifting their privacy programs.
Here are the key things you can do today to prepare:
- Conduct a Privacy Capability Assessment – A PCA is a comprehensive and structured assessment of your privacy program for both compliance and maturity, with recommendations to improve privacy management practices.
- Ensure you have a thorough PIA process in place – A PIA is a systematic way to identify and manage how specific projects or initiatives will impact the privacy of your customers, staff members and other individuals.
- Train your people – Human error is one of key factors behind data breaches and compliance gaps. Privacy training helps organisations stay compliant by helping people understand the privacy risks they face and empowering them to adopt good privacy practices.
- Conduct a cyber security maturity assessment – APP 11 relates to the security of personal information. Conduct a maturity assessment to understand your current cyber posture and if your program is fit-for purpose.
- Open a dialogue with your board and executives – Now is an opportune time to outline your privacy strategy to senior executives, pre-empt and answer the questions they likely have, and seek to secure funding and resources for 2023 and beyond.
Contact us for assistance at firstname.lastname@example.org on any of the above items.
You can also read elevenM’s analysis of the discussion paper and submissions on the upcoming Privacy Act changes on our blog, and subscribe to our mailing list to get notified of our take on the changes as they happen.