Penalties for Breach of Privacy Laws to Increase from $2.22m to $50 million per breach and Extraterritorial Operation Expanded
The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 was introduced in Parliament late last week.
The key changes proposed by the new legislation are:
Substantially increased penalties for breaches;
Expanded extra-territorial operation;
Allowing the OAIC to issue infringement notices, impose penalties for systemic failure to provide information and share information with other regulators.
Privacy Act Obligations
The Privacy Act imposes obligations on organisations with an annual turnover of more than $3 million who are in Australia or have a sufficient Australian connection, including:
Only collect personal information where it is reasonably necessary for the entity’s functions and avoid collecting sensitive information (such as health information) unless certain criteria are met (APP 3);
Notify individuals that their information is being collected as soon as practicable after collecting the information (APP 5);
Not use or disclose personal information collected about an individual for a secondary purpose without the individual’s consent or in circumstances where the individual would reasonably expect the disclosure of the information for the secondary purpose (APP 6) or use the personal information for direct marketing (APP 7);
Take steps to ensure any overseas recipient of information does not breach the Australian Privacy Principles in relation to the information (APP 8); and
Take reasonable steps to ensure personal information is protected from misuse, interference and loss or unauthorised access, modification and disclosure (APP 11).
Section 13G of the Privacy Act imposes penalties for serious and repeated interferences with privacy.
Maximum Penalty Increase
The present maximum penalty for serious or repeated breaches is $2.22million for bodies corporate (rising to $2.75, after the value of a penalty unit increases) and $444,000 for other entities regulated by the Act.
If passed, the new legislation will significantly increase the maximum penalty to the greater of:
$50 million;
3 times the value of any benefit obtained through the misuse of information if the benefit is able to be determined by the Court; or
30% of the company’s turnover.
Expanded Extraterritorial Operation
The Bill also significantly expands the extraterritorial effect of the Privacy Act. The Act presently applies to overseas entities with an ‘Australian link’ (s5B). To have an Australian link organisations need to carry on business in Australia or an external Territory and to collect or hold personal information personal information in Australia. The Bill removes the requirement for the information to have been collected or stored in Australia, meaning that all organisations carrying on business in Australia will be subject to the Act. The second reaching speech for the Bill indicated the purpose of the amendment is to ensure that global technology companies which process and store data offshore will still be subject to the requirements of the Act.
International aviation operators who carry on business in Australia and who may not have previously been subject to the requirements of the Act should carefully review their position following the introduction of the Bill.
Key Points for Organisations
To be ready for the new legislation, companies should:
Conduct a careful review of the practices adopted for collecting and storing personal information and their privacy policies;
Review any data breach plan to ensure it adequately deals with responding to requests for information by OAIC in light of the new powers;
Ensure cross-border contracts include adequate protections for any information transferred overseas;
International companies which have not previously been subject to the requirements of the Privacy Act should carefully review their position in light of the proposed amendments.
Contacts
Keira Nelson Andrew Dunn
PH: +61 2 9230 9440 PH: +61 2 9230 9446