Dark web nets tougher privacy laws
In response to recent cyber attacks, last week (28 November 2022) the federal Parliament passed the first round of amendments to the Privacy Act 1988 (Cth) and related legislation (the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022).
The amendments significantly increase penalties for serious privacy breaches to $50 million or more, and to give the Australian Information Commissioner greater information gathering and enforcement powers.
The amendments were being considered by the federal government as part of its broader review of the Privacy Act which commenced in 2019 and remains ongoing. The Attorney General’s decision to expedite these select amendments evidences the increasing public and political scrutiny of businesses in relation to their systems and controls for protecting customer personal data.
The amendments, which will likely come into effect this week or next, provide for:
1. Expanded application of the Privacy Act to overseas businesses – Previously the Privacy Act only applied to international entities who collected or held personal information from Australian sources. The amendments approved last week remove this criterion, and now only require that the international entity carries on business in Australia.
2. Significantly increased penalties of $50 million or more – Increased penalties for serious or repeated interferences with privacy from the current $2.2 million for corporations to a maximum of the greater of the following for corporations:
· $50 million;
· three times the benefit obtained from misuse of information if this can be determined; or
· 30% of the entity’s adjusted turnover.
3. Compulsory information gathering powers – The Australian Information Commissioner may now compel from any person documents or information in relation to an actual or suspected eligible data breach. Such information may be made public if determined to be in the public interest, or the Commissioner may share the information with other authorities or agencies on certain conditions.
4. Enhanced investigation outcomes – Upon investigating a data breach by an entity, the Australian Information Commissioner may now require the entity to publish a public statement concerning the conduct leading to the breach and that the entity engages an independent adviser to review that conduct.
What do these changes mean for Australian businesses?
Significantly higher penalties send a clear message from the federal government that serious breaches of privacy requirements cannot be regarded as a ‘cost of doing business’.
Australian businesses with overseas related entities should assess whether those entities are now required to comply with Australian privacy laws in addition to other privacy frameworks including the General Data Protection Regulation (GDPR) applicable in the EU.
These amendments and the Privacy Act will continue to apply only to businesses with a turnover of more than $3 million (with some exceptions). However, the recent increase in significant data breaches may be the catalyst for the federal government to push for removal of this “small business exemption”, particularly where the Information Commissioner officially endorses removal of the small business exemption (see here).
Scrutiny over customer data protection will continue to increase. Businesses should consider the effectiveness of their systems for data protection and data breach response even if not required to comply with the Privacy Act because turnover is $3 million or less.
Small businesses remain subject to the Commissioner’s enhanced information gathering powers set out above, especially if providing services to larger organisations with higher risks of cyber attacks. The involvement of small businesses in significant data breaches could be made public if the Commissioner is satisfied that it is in the public interest.
The Attorney General’s department has foreshadowed further reforms to come.
If you would like assistance considering these amendments or your organisation’s compliance with privacy laws, please give us a call.