The Notifiable Data Breach Scheme (NDB Scheme) came into force on 22 February 2018, resulting in various changes to Australia’s privacy law. In previous posts, we have considered:

In this post, we consider the role and powers of the Australian Privacy Commissioner (the Commissioner) in enforcing the NDB Scheme.

The Commissioner’s role in the NDB Scheme

The Commissioner has a number of roles under the NDB scheme, including:

  • offering guidance to regulated entities and informing the community about the operation the NDB scheme;
  • receiving notifications of eligible data breaches and handling complaints;
  • conducting investigations into suspected or actual data breaches; and
  • undertaking enforcement action in response to instances of non-compliance by organisations with privacy obligations.

Powers of the Commissioner

The Commissioner has a wide range of powers under the Privacy Act to enforce the NDB Scheme.

The statutory powers available to the Commissioner include the ability to undertake a range of different enforcement actions in response to an interference with privacy, such as:

  • accepting an enforceable undertaking. For example, the Commissioner might accept an undertaking to apologise and implement a compliance program in lieu of other civil action. Importantly, as part of an enforceable undertaking, the Commissioner may also seek that an organisation pay an amount for damages if it is deemed appropriate in the circumstances. Such damages include non-economic loss or an amount the Commissioner deems has been reasonably incurred by a complainant in the process of making a complaint about a privacy breach;
  • applying to Court for a civil penalty order for a breach of a civil penalty provision, the value of which is determined based on whether the privacy interference is serious and repeated. The maximum penalty that can be sought is currently $2.1 million (10,000 penalty units) for companies and $210,000 for individuals (1,000 penalty units). Under Commonwealth legislation, a penalty unit is currently valued at $210;
  • seeking an injunction from a Court to prevent ongoing activity or a recurrence (e.g. the Commissioner might apply to the court for an order preventing an organisation from running a compromised website until adequate security measures are in place); or
  • making a determination in response to a complaint or an investigation (e.g. a determination that a complaint is substantiated), which may include a declaration requiring

(1) steps to be taken to prevent further interferences with privacy; and

(2) that the complainant is entitled to compensation for loss or damage.

Importantly, if the Commissioner makes such a determination under limb (1), organisations must comply with it in accordance with the Privacy Act. Determinations which include declarations about compensation for loss and damage are not binding, and a complainant or the Commissioner is required to seek an order from the Federal Court before the compensation is payable. Under the Privacy Act, loss and damage can include injury to feelings or humiliation suffered by the complainant or an individual.

In addition, the Commissioner can direct an entity to notify individuals at risk of serious harm, as well as the Commissioner, about an eligible data breach. This power to direct might be utilised where the Commissioner finds out about a data breach before the organisation does.

Collaborative Approach

Despite having these powers, the guidance so far provided about the NDB Scheme on the Commissioner’s website states that it prefers to work with entities to encourage voluntary compliance with their obligations under the NDB scheme before taking enforcement action.

That being said, given the significant enforcement options available to the Commissioner, it is prudent to seek legal advice if your organisation is subject to a data breach or an investigation by the Commissioner.