Tougher penalties to be introduced under the Privacy Act

17 May 2019

Businesses operating in Australia are subject to a kaleidoscope of constantly evolving privacy obligations. As privacy week draws to a close, it is an opportune time to look forward to how the privacy landscape might change in the future, subject to the outcome of tomorrow’s federal election.

  • Proposed amendments to the Privacy Act aim to meet community expectations around security of personal information online
  • Financial penalty for breaches of the Privacy Act by organisations to increase from $2.1 million to more than $10 million
  • $25 million additional funding for the Office of the Australian Information Commissioner (OAIC) to investigate and respond to breaches, including new powers to issue infringement notices for businesses and individuals

Australians are doing business and buying goods and services online at a growing rate. Each of these transactions will involve the sharing of some form of personal information. It is becoming harder for regulators and business to strike a balance between continued innovation and ensuring that information can be shared in a safe and secure manner.

Attorney-General Christian Porter and Minister for Communications and the Arts, Mitch Fifield, acknowledge that Australian laws need to adapt to reflect an increasingly developing area and have jointly announced a new penalty and enforcement regime under the Privacy Act 1988 (Cth) (Privacy Act) aimed at better securing the personal information that Australians share online as part of the coalition’s election platform.

The proposed amendments to the Privacy Act promise to:

  • Increase penalties for serious or repeated breaches of the Privacy Act for all businesses (including social media and online platforms operating in Australia), from the current maximum penalty of $2.1 million to the greater of:
– $10 million;
– three times the value of any benefit obtained through the misuse of information; or
– 10% of a company’s annual domestic turnover
  • New powers for the OAIC to issue infringement notice penalties of up to $63,000 for organisations and $12,600 for individuals for failure to cooperate with efforts to resolve minor breaches;
  • Increase protections for the personal information of children and other vulnerable groups;
  • Allow individuals to request that their personal information cease being used or disclosed (and to require organisations to comply with these requests); and
  • Expand the enforcement powers of the OAIC.

The new regime also proposes a Code which will require increased transparency about any data sharing and requiring more specific consent of users when social media and online platforms collect, use and disclose personal information about Australians.

The OAIC will be provided with an additional $25 million over three years to provide the resources to enforce breaches to the new regime under the Privacy Act.

What does this mean for you?

If the coalition is successful at tomorrow’s federal election, the proposed legislation is expected to be drafted and open to consultation in the second half of 2019.

The proposed changes will limit the way personal information is handled online. As a result, businesses will need to refresh their understanding of their obligations when collecting information online, and ensure they are properly equipped to recognise and respond to a data breach.

As we wait to see how (and if) the proposed laws will be finalised, this is an opportune time for all businesses to review their personal information handling practices, security measures and in particular their data breach response plans.

Our expert privacy and data protection lawyers would be pleased to assist you to understand your obligations when collecting information online and to help you to maximise the commercial value of that data in a way that is permitted under the law.