Privacy Breach Penalties – Substantial increases now passed into law

In November this year, the Office of the Australian Information Commissioner (OAIC) released a report with respect to the notifiable data breaches from January to June of this year (full report available at www.oaic.gov.au). It is reassuring to see that the report acknowledges a decline in the notifiable data breaches of 14% since the latter half of last year, and that breaches as a result of human error have decreased by 31%. Concerningly, it is noted that 33% of breaches in the January to June period have been attributed to human error. Additionally, 63% of breaches have been attributed to malicious or criminal attacks, and 4% a result of a system fault.

A number of data breaches have occurred since the Optus Data Breach including notifications from Telstra and Medibank as well as real estate companies, gaming websites and online retail marketplaces. In our October article, we noted there were calls for updates to the Privacy Act, with concerns also surrounding the collection, use, retention, erasure and disclosure of personal information.

Subsequently, the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 was introduced into Parliament on 26 October 2022. The Bill, which has now passed the Senate, aims to significantly increase the penalties for serious and/or repeated privacy breaches and has enhanced the information gathering powers of the OAIC and provided them with the ability to share information publicly (if it is in the public interest to do so).

The OAIC has issued a statement welcoming the passing of the Privacy Bill, with Australian Information Commissioner and Privacy Commissioner Angelene Falk saying, “The updated penalties will bring Australian privacy law into closer alignment with the competition and consumer remedies and international penalties under Europe’s General Data Protection Regulation.” She also stated that, “The review presents an important opportunity to ensure that Australia’s Privacy Act empowers individuals, protects their data and best serves the Australian economy.”

The Bill provides for corporations to be subject to a maximum penalty for a serious or repeated interference of privacy to an amount not exceeding the greater of:

• AU $50 million;
• Three times the value of the benefit obtained; or
• If the court cannot determine the value of the benefit, 30% of the corporations adjusted turnover in the relevant period.

This is a significant increase in the maximum penalties, which were previously AU $2.2 million. It is anticipated that there will be further changes to refine the new penalty regime in the near future.

In addition to the changes to penalties, the Bill has empowered the OAIC with increased powers to allow them to participate in, and resolve data breaches. The extraterritoriality provisions have also been amended so corporations will be required to meet the obligations under the Privacy Act should they “carry on a business” in Australia, notwithstanding that they may be domiciled overseas. To avoid breaches and significant penalties, corporations may wish to consider reviewing their legal obligations in respect of any personal information they collect or hold. While having a privacy policy has become almost universal, this alone is not sufficient. It is suggested that all companies undertake an in-depth review of all policies with respect to all data collection and management practices, seek professional assistance in creating or updating a security policy and data breach response plan, and consider obtaining cyber security insurance for additional protection.

The contents of this article are general in nature. For advice specific to your circumstances, please contact your legal practitioner.

• Topics:

• Legal Matters
• Science and Technology