Insights + Resources

April 14, 2019

Privacy Act to be seriously strengthened by proposed amendments

The Attorney-General, Christian Porter, and Senator Mitch Fifield have proposed sweeping amendments to the Privacy Act 1988 (Cth) (‘Act’). These will empower the Office of the Australian Information Commissioner (‘OAIC’) to issues much larger penalties for both minor and serious breaches of Australian privacy laws, as well as provide more flexibility in responding to significant data breaches in the public interest. The proposed changes, and their likely consequences, are set out below.

Increased maximum penalties 

Under the Act, the current maximum penalty for serious and/or repeated breaches is $2.1 million. The amendments currently intend to increase maximum penalties for serious and/or repeated breaches to the greater of:

  • $10 million; or
  • Three times the value of any benefit obtained from the misuse of the information; or
  • 10% of a company’s annual domestic turnover.

The proposed changes increase the penalties by a minimum of almost 5 times – i.e. from $2.1m to $10m.  For small to medium sized businesses in particular, this means that serious and/or repeated breaches with privacy could, in theory at least, spell the end of their Australian enterprise.

For very large businesses, the impact of serious and/or repeated breaches would also become extremely serious.  For example, a company turning over a billion dollars, could face a penalty of $100m (representing 10% of their turnover).

The “benefit test” and the “turnover test” are brand new measures of deriving privacy penalties in Australia.

Comparison between Privacy Act and the GDPR

Comparing the proposed new penalties to GDPR, in Europe there is no equivalent to the “benefits test”.  With respect to the “benefits test”, it remains to be seen how regulators might quantify the benefits infringers gain from misuse of breached information.

Further, the 10% of turnover test is higher than threshold imposed by the GDPR (4%). However the GDPR looks at worldwide sources of revenue, whereas the Australian government’s proposed changes quarantine the threshold to revenue earned only from Australian sources. Multi-national businesses with complex revenue and tax structures that extend beyond Australia are potentially not caught by the proposed new laws.

OAIC Breach Notices 

The proposed changes will also expand other options available to the OAIC to ensure breaches are addressed through third-party reviews (e.g. ‘privacy compliance audits’), and to publish prominent notices about specific breaches to ensure those directly affected are advised.

This will allow the OAIC to make public notices for significant data breaches like the Ashley Madison hack that occurred in 2015. This would allow the OAIC broader, public interest-focused powers that align to its role under Notifiable Data Breach scheme (‘NDBS’) introduced in February 2018.

Requirements to stop using personal information

The amendments are also intended to create a mechanism by which certain social media and online platforms would be obliged to stop using or disclosing personal information of users upon request. This is in line with previous recommendations of the Australian Law Reform Commission, and would usher in a significant shift in the privacy rights of Australians. At present the Act only requires certain entities to stop using personal information when it is no longer needed for the purpose for which it was collected. Whilst details are currently limited, the newly announced amendments appear to be signalling development of an Australian equivalent of the European “Right to be Forgotten”.

Again, this is reflective of a trend in specific global privacy laws, including for example, Germany’s GDPR-based Network Enforcement Act, commonly referred to as NetzDG. Currently the NetzGD empowers regulators to require removal of content from social media.

Other amendments

The proposed amendments to the Act will also:

  • Provide the OAIC with new infringement notice powers backed by new penalties of up to $63,000 for bodies corporate and $12,600 for individuals for failure to cooperate with efforts to resolve minor breaches; and
  • Introduce specific rules to protect the personal information of children and other vulnerable groups.

The press release from the Attorney-General also flagged that amendments will likely include any final recommendations from the Digital Platforms inquiry, to be released in June 2019.

When are the Privacy Act amendments due? 

The legislation is not proposed to be drafted for consultation until after the federal election. Affected entities do not need to expect the changes to arrive until the second half of 2019, at the earliest, though expectations should likely be set beyond the commencement of 2020.

Concluding remarks

These amendments should be viewed in the context of a global regulatory trend towards imposing greater obligations on social media and online platforms. Along with further changes that are likely to be made in the coming years, these proposed changes are set to transform the Australian data privacy landscape, empowering the OAIC to exert greater control over a previously unregulated sector.

This information is general in nature. If you would like to learn more about how Australian data and privacy laws affect you, please contact us below.


Close Btn Created with Sketch.


Straight to your inbox on legal and business developments set to disrupt and transform.