As a business that handles information, it is essential you are aware of the proposed amendments to Australian privacy laws. Following some high-profile data breaches in large Australian corporations, the federal government has announced several legislative changes to safeguard and strengthen Australian privacy laws. If passed, significant financial penalties would apply for serious and repeated data breaches.
This article outlines the proposed amendments, their implications, and their impact on businesses’ rights and their existing suite of privacy documents.
The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Bill) proposes to significantly increase the penalties for serious or repeated interference with the privacy of an individual.
In addition to the increased penalties, the Office of the Australian Information Commissioner (OAIC) will gain greater enforcement and information-sharing powers.
The Bill seeks to increase the enforcement powers available to the OAIC, which would allow it to:
Under the Bill, entities that fail to comply with an OAIC infringement notice without a reasonable excuse face increased penalties as follows:
Based on the current penalty unit value, this leads to a maximum civil penalty of $13,320 for individuals and $66,600 for companies.
The Bill further provides the OAIC with new information-sharing powers. Notably, if the Bill passes, the OAIC will have express power to publish a final determination following a privacy investigation, as well as information about a final assessment report, on its publicly accessible website.
In addition, the OAIC can share information with:
The OAIC may share information with these authorities so the authority, or the OAIC, can perform its functions or duties.
For example, the OAIC can share information with the eSafety Commissioner on matters relating to online safety. This enhanced power intends to ensure any enforcement bodies receiving information from the OAIC can perform their role with greater efficiency and efficacy.
Additionally, the OAIC’s information-sharing powers will be subject to several limitations to ensure they are reasonable, necessary and proportionate. For instance, the OAIC must be satisfied on reasonable grounds that the receiving authority has satisfactory arrangements for maintaining the security of the information or documents.
The Bill will also amend the Australian Communications and Media Authority Act 2005 (ACMA Act) to expand the ACMA’s ability to share information with any non-corporate Commonwealth entity responsible for enforcing a Commonwealth law where the information will enable or assist the entity to perform or exercise any of its functions or powers.
The privacy law updates seek to reflect the fact that multinational corporations collect and hold personal data in the cloud. Currently, the Privacy Act applies to entities operating outside Australia if they have an ‘Australian link’. An Australian link, for the purposes of the Privacy Act, exists if:
The Bill proposes to amend the Act’s extraterritoriality provisions by removing the requirement that the personal information was collected or held by the organisation in Australia (either before or at the time of the act).
This amendment means that, even if a foreign organisation does not collect an individual’s information directly from an Australian source, it must still comply with the obligations under the Privacy Act if it ‘carries on a business’ in Australia.
This enables the Privacy Act obligations to be enforced against global technology companies that process an Australian’s information offshore.
The original post can be found on LegalVision's website.
Bligh House, Suite 5.02
4-6 Bligh Street
Sydney, NSW, 2000
