Australia: More penalties and more powers under new privacy law reforms

An overview of the privacy law update and what it means for businesses.

in a nutshell

The Australian Commonwealth Government Privacy Act 1988 (Cth) (“Personal Information Protection Law) in the form Privacy Act Amendment (Enforcement, etc.) Bill 2022 (“Specification”).

The new law will come into force with the soon-to-be-appointed King’s Consent. Fix:

• Raising the maximum penalties that can be given for severe or repeated interference with an individual’s privacy:
  1. A$2.5 million for individuals other than corporate entities.Also
  2. For legal entities, the greater of:
     • – A$50 million
     • – If the court can determine the value of the profits made – Three times the value of the profits
     • – If the court cannot determine the value of the profits made – 30% of the company’s adjusted turnover during the breach turnover period.
  3. Australian Information Commissioner (“of the commissioner“”) making it easier for the Commissioner to learn about an entity’s practices for complying with privacy laws, especially notifiable data breach schemes, and giving the Commissioner greater ability to direct the entity, etc. , to give permission in several ways. What must be done regarding compliance?
  4. Provide commissioners with better information sharing capabilities.

The amendments mark the government’s spotlight on the role and responsibility of Australian businesses in protecting individual privacy from potential threats. The revised penalties and regulatory regime are intended to force companies to reassess their privacy processes and encourage a proactive approach to data privacy and security.

The key points for businesses are:

• Introduction of proposed amendments Increased maximum penalty For “serious” or “repeated” interference with privacy. As a result, courts have substantial discretion to order large fines. The question remains as to what constitutes “serious” or “repeated” interference with privacy. However, it is clear that companies need to review and keep their data processing practices up to date and ensure that their staff understand the applicable requirements.
• more Foreign operation The amendments remove the precondition for extraterritorial application of the Privacy Act, so foreign entities may be subject to the Privacy Act. We collect or hold personal information about individuals in Australia At or before the time of the alleged violation. Instead, the Commissioner only needs to show that the overseas entity is doing business in Australia in order to enforce privacy laws against Australia. The Commissioner has in any event adopted a broad interpretation of when information was collected or held in Australia, which may suggest that the amendments do not materially change the risks of overseas operations. . However, it stresses that if you are an overseas company targeting the Australian market, you are likely to be subject to privacy laws. It needs to be evaluated and any gaps addressed.
• The commissioner Infringement Notice impressive civil penalty Against companies that do not respond to requests for information, answers to questions, or production of documents and records, rather than relying solely on criminal proceedings.this is done Easier for the commissioner impose penalties for relatively minor violations.
• The amendment strengthens the power of the Commissioner to declare that companies must take specific actions to remedy the conduct that led to the violation. Hire an Independent and Appropriately Qualified Advisor assist this process with operator’s own expenses.
• The Commissioner has the authority to preemptively assess a business’s compliance with a notifiable data breach (NDB) scheme, requesting information and documentation for that purpose even if no violation has occurred. Companies should ensure that staff are informed that records relating to the NDB scheme may be requested for review by the Commissioner.
• The Commissioner may also make disclosures in the public interest and publish the results of the evaluation and independent review of the NDB scheme on its website. This means that the commissioner can “name and shame” companies that do not meet their standards, and it also creates the risk that information that companies prefer to keep confidential will be disclosed.

Increased maximum penalty

The increased maximum penalties are consistent with the recently amended maximum penalties for violations of key parts of the Act. Competition and Consumer Law 2010 (Cth) and the Australian Consumer Law. A multi-pronged maximum penalty for companies that incorporates complex and broad concepts of “profit,” “adjusted sales,” and “violating sales period.” , creates a significant risk of severe penalties for companies that “seriously” or “repeatedly” interfere with privacy.

Enhanced enforcement powers of the Commissioner

The Commissioner’s new power to issue notices of infringement for failure or refusal to provide requested information, documents, or answers would prevent protracted criminal proceedings for minor non-compliance (previously the Commissioner’s only option). Rather than pursue, the Commissioner can fine companies that fail to cooperate before criminal charges are brought against them.

• Minor violations carry a civil penalty of 60 penalty units (currently AUD 13,320).
• A behavioral system or pattern of behavior that results in multiple failures or denials attracts a criminal penalty of 300 penalty units (currently AUD 66,600).

Enhanced sharing capabilities

This amendment enhances the Commissioner’s powers to exchange information with Enforcement Agencies, Alternative Complaints Bodies, State/Territory Authorities, and Overseas Privacy Authorities in order to enhance cooperation.

Sharing is permitted as long as certain broad criteria are met. The allocation must be reasonable, necessary and proportionate to the exercise of the Commissioner’s powers or the performance of his functions and duties.

This allows the Commissioner to highlight data breaches that meet the criteria to different regulatory bodies. As such, businesses should be aware that much, if not all, of the information collected by the Commissioner and his office may be passed on to another authority. Companies may want to emphasize this point when training staff.

These changes are part of a growing trend to allow enforcement agencies to share information.

public interest disclosure

This amendment allows the Commissioner to disclose in the public interest information obtained in the course of exercising its powers or in the performance of its functions or obligations under the Privacy Act. Various factors should be considered when determining whether a disclosure is in the public interest. For example, whether an individual’s personal information or confidential commercial information will or may be disclosed, and whether it could adversely affect investigative or enforcement-related activities.

This increases the risk of negative PR resulting from privacy compliance failures.

NDB scheme: information gathering and compliance assessment

The amendment gives the Commissioner powers to:

• Conduct a proactive assessment of the business’s data breach response protocols and processes
• to provide certain types of information and/or documentation, or to provide notices requesting answers to questions related to actual or suspected eligible data breaches, or a company’s compliance with the NDB scheme;
• Obtain and copy documents and retain them for the period necessary to assess business compliance with the NDB scheme
• Publish information on such assessments and decisions on the Commissioner’s website.

The Commissioner may also require a company to notify an individual in person or publicly of any conduct it determines violates an individual’s privacy, and certify to the Commissioner that such notice has been given.

Ability to Request the Involvement of an Independent Advisor

This proposed amendment empowers the Commissioner to give Respondents, at their own expense, independent and appropriate qualifications to assist and advise on remedial action and other related matters after discovering that an individual’s privacy has been interfered with. Authorizes you to request the employment of advisors with Advisors report to the Commissioner, who can publish the results on their website.

Qualified Data Breach Notification Requirements

The amendment requires companies to include details of the specific types of information covered by the breach in their data breach notifications. This is to allow the Commissioner to make a more comprehensive assessment of the risk of harm to an individual and whether the company’s proposed response is appropriate. A step is enough.

This requirement can be difficult because these details may not be immediately apparent (or reliable) when the violation is first discovered. Things may change as investigations into corporate violations progress.

Amendments will begin the day after the Amendment Act is approved by the King, but certain provisions will have retroactive effects (e.g., the Commissioner’s information-sharing powers will be restricted to documents and information obtained prior to the amendment). and the Commissioner shall provide information and documents related to the data breach prior to commencement).

Regarding the broad review of the privacy law, the Office of the Attorney General has reiterated that a report on the review will be submitted by the end of the year. In this case, we can expect to see more momentum and development in this area in early 2023, including draft legislation.

Note: The penalty amounts shown in this alert stated to be based on Penalty Units reflect the value of the Federal Penalty Units on 24 November 2022 (i.e. AU$222). The value of the Penalty Units is expected to rise to A$275 on 1 January 2023, rise again on 1 July 2023, and then be indexed every three years thereafter.

Thanks to Chloe Danvers (General Associate) and Liz Grimwood-Taylor (Senior Knowledge Lawyer) for assistance with this alert.