Privacy Act amended to increase penalties significantly for data breaches

On 12 December 2022, legislation substantially increasing the penalties in the Privacy Act 1988 received Royal Assent. The amendments significantly increase penalties for interferences with a person’s privacy and expand the powers of the Australian Information Commissioner (Commissioner).

Higher Penalties

The previous maximum penalty in the Privacy Act 1988 (Cth) (Privacy Act) for a breach of, for example, section 13G (serious interference with privacy) was 2000 penalty units1 for individuals or 10,000 penalty units for a corporation which means the maximum fine available per offence committed by a corporation could have been as much as $2.2 million.

The amendments to the Privacy Act have increased penalties substantially and incorporates the contemporary approach to setting penalties for corporations that takes account of the commercial benefit which may have been obtained from a breach of law. Now penalties will be the greater of:

  • $50 million;
  • 3 x the value of any benefit obtained through the misuse of information; and
  • 30% of a company’s adjusted turnover in the relevant period.

These penalties are similar to the structure of civil penalties that exist in the Corporations Act.

In respect of the 30 per cent of adjusted turnover provision, the Court making a penalty judgement, may determine the adjusted turnover based on the full period of the contravention or the earlier of 12 months up to when the conduct ceased or proceedings in relation to the contravention were instituted.

Enhanced powers for the Information Commissioner

The Commissioner’s enforcement powers have been enhanced, including by:

  • expanding the types of declarations that the Commissioner can make in a determination at the conclusion of an investigation
  • amending the extraterritorial jurisdiction of the Privacy Act to ensure foreign organisations that carry on a business in Australia must meet the obligations under the Privacy Act, even if they do not collect or hold Australians’ information directly from a source in Australia
  • providing the Commissioner with new powers to conduct privacy assessments
  • providing the Commissioner with new infringement notice powers to penalise entities for failing to provide information without the need to engage in protracted litigation, and
  • strengthening the Notifiable Data Breaches scheme to ensure the Commissioner has comprehensive knowledge of the information compromised in an eligible data breach to independently assess the particular risk of harm to individuals.

Improved Information Sharing

The Commissioner’s ability to share information has been enhanced by:

  • clarifying that the Commissioner is able to share information gathered through the Commissioner’s various functions
  • providing the Commissioner with the power to disclose information or documents to an enforcement body, an alternative complaint body, and a State, Territory or foreign privacy regulator for the purpose of the Commissioner or the receiving body exercising their powers, functions or duties
  • providing the Commissioner with greater power to publish determinations and other materials acquired during the course of an investigation or assessment, if the Commissioner determines that such a release is in the public interest.

The Australian Communications and Media Authority Act 2005 (Cth) has also been amended to expand ACMA’s ability to share information with any non-corporate Commonwealth entity where the information will enable or assist the entity to perform or exercise any of its functions or powers.

Implications

The new penalty provisions significantly expand the financial penalties associated with a serious interference with privacy, but have not changed the tests associated with whether an offence under section 13 or section 13G of the Privacy Act, has occurred.

The increased penalties and the recent cyber incidents experienced by Optus and Medibank, highlight the importance of cyber security teams and privacy teams working together to reduce the risk of unauthorised access but also to assess and reduce the volume of data at risk if systems are compromised.

Privacy teams, at this time, should be looking very hard at their data governance approach especially their policy settings related to data retention and destruction. The recent cyber incidents, in particular, bring into sharp focus the trade offs between deep customer data pools and the costs of losing control of that data.


1 A penalty unit is determined by the Crimes Act 1914 (Cth) and was increased in May 2020 to $222.

Liability limited by a scheme approved under Professional Standards Legislation.
© ADDISONS. No part of this document may in any form or by any means be reproduced, stored in a retrieval system or transmitted without prior written consent. This document is for general information only and cannot be relied upon as legal advice.