The Attorney-General, Christian Porter, and Senator Mitch Fifield have proposed sweeping amendments to the Privacy Act 1988 (Cth) (‘Act’). These will empower the Office of the Australian Information Commissioner (‘OAIC’) to issues much larger penalties for both minor and serious breaches of Australian privacy laws, as well as provide more flexibility in responding to significant data breaches in the public interest. The proposed changes, and their likely consequences, are set out below.
Under the Act, the current maximum penalty for serious and/or repeated breaches is $2.1 million. The amendments currently intend to increase maximum penalties for serious and/or repeated breaches to the greater of:
The proposed changes increase the penalties by a minimum of almost 5 times – i.e. from $2.1m to $10m. For small to medium sized businesses in particular, this means that serious and/or repeated breaches with privacy could, in theory at least, spell the end of their Australian enterprise.
For very large businesses, the impact of serious and/or repeated breaches would also become extremely serious. For example, a company turning over a billion dollars, could face a penalty of $100m (representing 10% of their turnover).
The “benefit test” and the “turnover test” are brand new measures of deriving privacy penalties in Australia.
Comparing the proposed new penalties to GDPR, in Europe there is no equivalent to the “benefits test”. With respect to the “benefits test”, it remains to be seen how regulators might quantify the benefits infringers gain from misuse of breached information.
Further, the 10% of turnover test is higher than threshold imposed by the GDPR (4%). However the GDPR looks at worldwide sources of revenue, whereas the Australian government’s proposed changes quarantine the threshold to revenue earned only from Australian sources. Multi-national businesses with complex revenue and tax structures that extend beyond Australia are potentially not caught by the proposed new laws.
The proposed changes will also expand other options available to the OAIC to ensure breaches are addressed through third-party reviews (e.g. ‘privacy compliance audits’), and to publish prominent notices about specific breaches to ensure those directly affected are advised.
This will allow the OAIC to make public notices for significant data breaches like the Ashley Madison hack that occurred in 2015. This would allow the OAIC broader, public interest-focused powers that align to its role under Notifiable Data Breach scheme (‘NDBS’) introduced in February 2018.
The amendments are also intended to create a mechanism by which certain social media and online platforms would be obliged to stop using or disclosing personal information of users upon request. This is in line with previous recommendations of the Australian Law Reform Commission, and would usher in a significant shift in the privacy rights of Australians. At present the Act only requires certain entities to stop using personal information when it is no longer needed for the purpose for which it was collected. Whilst details are currently limited, the newly announced amendments appear to be signalling development of an Australian equivalent of the European “Right to be Forgotten”.
Again, this is reflective of a trend in specific global privacy laws, including for example, Germany’s GDPR-based Network Enforcement Act, commonly referred to as NetzDG. Currently the NetzGD empowers regulators to require removal of content from social media.
The proposed amendments to the Act will also:
The press release from the Attorney-General also flagged that amendments will likely include any final recommendations from the Digital Platforms inquiry, to be released in June 2019.
The legislation is not proposed to be drafted for consultation until after the federal election. Affected entities do not need to expect the changes to arrive until the second half of 2019, at the earliest, though expectations should likely be set beyond the commencement of 2020.
These amendments should be viewed in the context of a global regulatory trend towards imposing greater obligations on social media and online platforms. Along with further changes that are likely to be made in the coming years, these proposed changes are set to transform the Australian data privacy landscape, empowering the OAIC to exert greater control over a previously unregulated sector.
This information is general in nature. If you would like to learn more about how Australian data and privacy laws affect you, please contact us below.