Increased penalties under proposed privacy legislation amendments

In response to the high-profile Medibank and Optus data breaches in recent weeks, the Albanese Government has sought to introduce legislation to significantly increase penalties for repeated or serious privacy breaches.

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, passed the House of Representatives on 9 November 2022, and seeks to increase maximum penalties from $2.22 million currently, to whichever is the greater of:

  • $50 million;
  • If a court can determine the value of a benefit, three times the value of any benefit obtained through the misuse of the information; or
  • If the court cannot determine the value of the benefit, 30% of a company’s adjusted turnover in the relevant period.

Greater powers for the OAIC

The Bill will also afford the Office of the Australian Information Commissioner (OAIC) greater powers to resolve and quickly share information about data breaches, to better protect consumers personal information.

For instance, if the Bill ascends to law, the OAIC will be able to:

  • conduct assessments of an entity’s compliance, or an entity’s ability to comply, with the notifiable data breach regime;
  • request information about an actual or suspected eligible data breach by an entity, or more holistically, the entity’s compliance with the eligible data breach regime under the Privacy Act;
  • share information and documents with enforcement bodies, complaints bodies, and other privacy regulators, and also may share information with any third parties, or publish information, where the sharing of that information is in the public interest;
  • issue infringement notices for failure, without reasonable excuse, to respond, or provide information to the OAIC, where required under the law;
  • in relation to complaints, order an entity to engage an independent adviser to review the acts or practices that were subject to the complaint, and the remediation of that complaint, and additionally, can require an entity to prepare a statement about the conduct in-scope, and provide that information to the complainant or disseminate the statement in the public domain.

More to come in the future

The Commonwealth Attorney General’s Office reports that the significant privacy breaches in Australia in recent weeks have shown that existing safeguards are outdated and inadequate. They further state that the increase in penalties and strengthening of the OAIC’s powers is part of a broader overhaul of the Privacy Act 1988, that will take place in 2023.

The above post is merely general commentary and is not legal advice.