Following high profile data breaches, the Privacy Act 1988 (Cth) (Privacy Act) has been amended to increase the monetary penalties for serious or repeated privacy breaches. Additionally, the Information Commissioner now has greater powers to gather and to share information to resolve data breaches.
Up to an estimated 10 million Australians have been affected by at least one of the high profile data breaches affecting high profile Australian companies in 2022. In October 2022, the Attorney General, the Hon Mark Dreyfus KC MP, promised to toughen Australia’s privacy laws. In December 2022, the Privacy Act was amended to increase penalties for serious or repeated breaches of privacy and to improve the capacity of the Information Commissioner to gather and share information about data breaches.
Tougher penalties
The headline grabber is the increase to penalties for serious or repeated breaches of privacy. The table below sets out how the amended Privacy Act provides for significantly greater civil penalties for serious or repeated interferences of privacy when compared to the penalties under the Act before the amendments received royal assent.
|
Previous penalty amounts |
New penalty amounts |
Bodies corporate |
$2.22 million |
An amount not exceeding the greater of:
|
Other entities |
$444,000 |
$2.5 million |
The Government’s intention for these changes is to ensure that tougher penalties meet community expectations for serious data breaches and deter organisations from continuing to engage in “problematic data practices”.
Whilst the impetus for the amendments may have been large consumer-oriented businesses with high profile data breaches, the increased penalties apply to all public and private sector organisations governed by the Privacy Act. Accordingly, all organisations governed by the Privacy Act should ensure that they give the necessary oversight, management and resources to privacy compliance and information security, having regard to the context of those organisations and their activities.
Greater information gathering and sharing powers
Under the Privacy Act’s notifiable data breach (NDB) scheme, organisations governed by the Privacy Act have obligations to notify the Information Commissioner and affected individuals of an “eligible data breach”. Although the concept of an “eligible data breach” has not changed, the Information Commissioner is now granted greater information gathering and information sharing powers.
The Information Commissioner now has the power to compel an organisation to provide information and/or documents relevant to an actual or suspected “eligible data breach” of the organisation, and/or the organisation’s compliance with the Privacy Act in relation to an “eligible data breach”.
Additionally, the Information Commissioner is provided with greater information-sharing powers to share information regarding a notified data breach with other regulators, both domestically and internationally. The Commissioner has the power to publish a determination or information relating to an assessment on the Commissioner’s website, and disclose all other information acquired in the course of performing functions or duties if it is in the public interest.
Key Takeaways