Amendments to the Privacy Act 1988

Business and Commercial

The rapidly growing digital economy relies on the collection and analysis of vast amounts of data. Whilst this has undoubtedly enhanced innovation, economic growth, greater connectivity and access to global markets, it does not come without significant privacy and security risks, which millions of Australians were faced with in 2022 following two of the largest and most high-profile data breaches in Australia’s history – Optus and Medibank.

As a result, proposed reforms to strengthen Australia’s privacy laws were fast tracked and the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (the Act) came into effect on 13 December 2022.

The Act implements the most significant reforms to Australia’s privacy laws since the introduction of the Notifiable Data Breaches scheme in 2018, and includes the following key reforms (the Reforms):

      • clear extra-territorial application of the Privacy Act 1988 (Cth) (Privacy Act);
      • increased penalties for serious or repeated breaches of the Privacy Act;
      • increased investigative powers for the Office of the Australian Information Commissioner (OAIC), the privacy regulator;
      • strengthening the Notifiable Data Breaches scheme; and
      • introducing new information sharing powers for the OAIC.

Extraterritorial Application

Prior to the Reforms, the Privacy Act had extraterritorial application, but only where the foreign entity had an ‘Australian link’, which it was considered to have if it:

a)   carried on business in Australia; and

b)   collected or held personal information in Australia.

The Act amends the Privacy Act by removing limb (b) so that Australia’s privacy laws will apply to foreign entities that carry on business in Australia, regardless of whether they collect or hold personal information in Australia.

As such, so long as foreign entities carry on business within Australia, they will be within the ambit of the Privacy Act. This reform aligns the Privacy Act with the extraterritoriality provisions of the Competition and Consumer Act 2010 (Cth) (CCA) and simplifies the requirements around the circumstances in which the Privacy Act would extend to an act or practice of an organisation outside of Australia.

Increased Penalties

The Privacy Act imposed the following civil penalties for serious or repeated interference with privacy:

      • for individuals, up to a maximum of $444,000; and
      • for a body corporate, up to a maximum of $2.2 million.

The Reforms significantly increase the civil penalties for serious or repeated interference with privacy to amounts that mirror the recent increases to the maximum penalties under the CCA, being:

      • for individuals, up to a maximum of $2.5 million;
      • for a body corporate, up to an amount not exceeding the greater of:
        • $50 million;
        • three times the value of the benefit derived by the body corporate from the conduct constituting the breach; or
        • if the value of the benefit cannot be derived, 30% of the body corporate’s adjusted turnover in the relevant period.
  • OAIC Investigative Powers

The Reforms have armed the OAIC with investigative powers where, if the OAIC suspects that person or entity has information or documents, or can answer questions that are relevant to an actual or suspected eligible data breach, the OAIC can require that person or entity to:

      • give information
      • produce documents; and
      • answer its questions.

The OAIC can issue infringement notices which allow it to penalise people and companies who refuse or fail to comply with its directions to provide information.

Notifiable Data Breach Scheme

The Notifiable Data Breach scheme requires regulated entities to notify individuals and the OAIC about eligible data breaches – data breaches that are likely to result in serious harm to any of the individuals to whom the information relates.

The Reforms strengthen the Notifiable Data Breach scheme by enabling the OAIC to request information and documents from a regulated entity with respect to an actual or suspected eligible data breach and conduct an assessment of the regulated entity’s ability comply with the Notifiable Data Breach Scheme.

A regulated entity may only resist disclosure of information and documents to the OAIC by procuring a certificate from the Attorney General that certifies that production of the requested information and/or documents would be contrary to the public interest.

OAIC Information Sharing Powers

Domestic and international collaboration, being a key part of the OAIC’s regulatory toolkit, was limited in that the OAIC was restricted in the circumstances in which it could record or disclose information.

Following the Reforms, the OAIC now has the power to disclose information or documents with the following:

      • an enforcement body;
      • an alternative complaint body; and
      • a state, territory or foreign regulator that has functions to protect the privacy of individuals.

These Reforms to the OAIC’s information sharing powers will help to ensure that Australians are informed about privacy issues and are reassured that the OAIC is discharging its duties, whilst ensuring that duplicative investigation and regulatory responses are avoided.

Key Takeaway

We encourage our clients to review and strengthen their processes and systems to ensure compliance with the Privacy Act and the Reforms.

Our Business & Commercial team has expertise in advising clients with respect to their obligations pursuant to the Privacy Act and drafting relevant policies and documents to ensure continued compliance.

Should you wish to discuss your business’ compliance with the Privacy Act, please contact one of our team members listed below:

Adam Rich
T: 03 9612 7229
E: Adam.Rich@wisemah.com.au

Ben Hibbert
T: 03 9612 7286
E: Ben.Hibbert@wisemah.com.au

Hayden Bateman
T: 03 5223 7512
E: Hayden.Bateman@wisemah.com.au

Tooba Khaliqy
T: 03 9612 7236
E: Tooba.Khaliqy@wisemah.com.au

Related Posts