​Australia privacy law proposal sets steep penalty mark for breaches

On Oct. 26, Australia’s Attorney General Mark Dreyfus brought forth before parliament the “Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022,” proposing significant amendments to the country’s 1988 Privacy Act. On Nov. 9, the bill passed the House of Representatives without amendment and moved to the Senate. The Senate Standing Committee on Legal and Constitutional Affairs will review the bill and is scheduled to issue its report Nov. 22.

The most substantial change would increase maximum civil penalties for “serious or repeated” breaches of privacy from the current AUD$2.22 million (U.S. $1.5 million) cap to an amount not more than the greater of AUD$50 million (U.S. $33.5 million); three times the benefit obtained by the company; or, if a court cannot determine the value of the benefit obtained, 30 percent of a company’s domestic turnover in the relevant period.

As proposed, the new penalty amount would exceed the established maximum under the European Union’s General Data Protection Regulation (GDPR) of 20 million euros (U.S. $20.7 million).

“Penalties for privacy breaches cannot be seen as simply the cost of doing business,” Dreyfus remarked in a speech before the Australian House of Representatives. “Entities must be incentivized to have strong cyber and data security safeguards in place to protect Australians.”

The proposal follows a spate of high-profile data breaches affecting Australian consumers, including at telecommunications giant Optus and health insurer Medibank.

New information-gathering powers

A proposed amendment would enhance Australia’s existing “Notifiable Data Breaches” (NDB) scheme by strengthening the information-gathering powers of the Office of the Australian Information Commissioner (OAIC), the country’s privacy regulator. Currently, companies must notify the commissioner and “take reasonable steps to notify affected individuals when a data breach is likely to result in serious harm to the affected individuals.”

Generally, following a breach, companies must disclose kind(s) of personal information compromised in an eligible breach. As amended, the bill would require “particular” kind(s) of information to be disclosed. For example, rather than simply disclose “contact” information was compromised, the company would have to state what kinds of contact information (e.g., home address, phone number, email address) were compromised.

“This is necessary to provide the information commissioner with a comprehensive understanding of the information compromised in a breach in order to assess the particular risks to individuals and take actions, such as issue a direction for the entity to notify individuals who have been affected by a data breach,” Dreyfus stated.

Currently, information available to the OAIC about an “eligible” data breach under the NDB scheme is limited to what a company voluntarily discloses. To obtain detailed information about a breach, the commissioner must make a preliminary inquiry.

Under the proposed changes, the OAIC would have authority to issue a notice requesting information, document(s), or requiring certain individuals to answer questions about an actual or suspected eligible data breach. Companies that don’t comply with information requests may face criminal penalties.

“Assuming the bill passes, it is likely the OAIC will have a strong appetite to pursue enforcement action in order to set a precedent on how the increased penalty regime will operate in practice,” said James North, head of technology, media, and telecommunications at law firm Corrs Chambers Westgarth. “This means companies should be on notice that if they find themselves subject to a significant data breach or otherwise commit serious privacy breaches, they will likely find themselves under intense scrutiny by the OAIC and may be slapped with some heavy penalties.”

New information-sharing powers

The OAIC would be authorized to share information it gathers with other enforcement bodies, as well as other state, territory, or foreign privacy regulators, under the proposal.

“This will drive better cooperation between regulators (i.e., the Australian Communications and Media Authority) in order to deliver better outcomes for Australians,” said Dreyfus.

North said companies can expect to see “greater collaboration between domestic as well as foreign regulators, which will likely mean more joint initiatives and investigations, especially where global companies are involved in data breaches or other privacy breaches.”

“Assuming the bill passes, it is likely the OAIC will have a strong appetite to pursue enforcement action in order to set a precedent on how the increased penalty regime will operate in practice.”

James North, Head of Technology, Media, and Telecommunications, Corrs Chambers Westgarth

As stated in the proposed bill, information or documents may only be shared where the OAIC is “satisfied on reasonable grounds” that a foreign privacy regulator has “satisfactory arrangements in place for protecting the information or documents shared.” Recipients of the information may only use the information for purposes for which it was shared. However, it’s not clear how those safeguards will be enforced in practice.

The bill also would empower the OAIC to disclose or publish information on its website about ongoing investigations or a final determination following a privacy investigation, if it deems such disclosures to be in the public interest. The aim of that provision, Dreyfus said, is to ensure Australians are informed of instances where their privacy might have been compromised.

In considering whether to make a public disclosure, the OAIC would have to weigh a range of factors, including but not limited to the rights and interests of any complainant or respondent; whether the disclosure will, or is likely to, prejudice any investigation or activities conducted by enforcement body; and whether the disclosure will, or is likely to, disclose the personal information of any person or confidential commercial information.

Following completion of an investigation, the commissioner would be empowered to compel companies to improve their compliance practices to reduce the likelihood of committing further privacy breaches.

The bill further would authorize the commissioner to require companies to engage “a suitably independent and qualified adviser to assist this process,” the equivalent of an independent compliance monitor in the United States.

Extraterritorial application

Currently, the Privacy Act applies to foreign companies that collect or store Australians’ personal information in Australia. As amended, the bill would broadly expand the law’s extraterritorial reach to “ensure the Privacy Act can be enforced against global technology companies who may process Australians’ information on servers offshore,” Dreyfus said.

“With the potential broadening of the Australian Privacy Act’s extraterritorial jurisdiction, it’s not only Australian companies that need to reconsider their privacy practices but foreign companies as well, including those that have never had to previously comply with the Privacy Act,” North said.

Data privacy practices

“These changes will materially change the risk profile of privacy breaches in Australia and have wide-ranging operational implications for regulated companies in managing data breach responses and for their privacy management frameworks,” said Helen Clarke, partner at law firm Johnson Winter Slattery.

“Foreign companies doing business in Australia—even simply by offering products and services to customers in Australia through a website accessible in Australia—should also seek expert advice from local counsel in Australia to determine whether you have an ‘Australian link’ and are therefore bound by the Privacy Act, including the NDB scheme,” Clarke added.

Australian companies and foreign companies doing business in Australia are advised to review their data privacy policies and procedures, ensuring they reflect the imminent new privacy obligations.

“Companies must act without delay to ensure their privacy regimes, as well as their data security capabilities, are up to scratch and appropriately reflect technological, reputational, financial, and legal risk,” North said.

Clarke and North recommended the following measures:

• Conduct a privacy and data audit to understand when, where, and how the organization collects, stores, uses, and discloses personal information;
• Identify where risks exist and confirm what steps are required to mitigate those risks;
• Develop and regularly test the data breach response plan, including that it addresses how to respond to the OAIC’s new requests for information;
• Ensure from the board of directors down there are clear management, escalation, and reporting policies that are well understood and up to date;
• Train employees on cyber risk and privacy law compliance obligations; and
• Review third-party contractual obligations pertaining to the storing and/or processing of personal information on the company’s behalf, strengthening obligations where needed.

“It’s important to reiterate retaining data for longer than necessary presents an increased opportunity for malicious actors, which may otherwise be mitigated by appropriate data handling processes,” North said.

Companies should seek legal advice to ensure they are striking the right balance between their data retention and data destruction obligations, North added. “Data hygiene should also be a focus, and companies should conduct regular audits and automate data cleansing in order to remove unnecessary information from the data sets,” he said.