The Australian Attorney-General’s department has announced a proposed new regime that would make changes to the Privacy Act 1988 (Cth) (Act).
The proposed changes would see a significant expansion of the powers afforded to the Office of the Australian Information Commissioner (OAIC), particularly with respect to the scope of penalties that may be handed out by the OAIC.
The Attorney-General’s department states that the proposed changes are aimed at increasing online protection for Australians and so that major social media companies take steps to protect the personal information they gather about Australians, with a particular emphasis on children.
What is proposed?
The proposed changes seek to:
- Increase penalties for all entities covered by the Act, from the current maximum penalty of $2.1 million for serious or repeated breaches, to the greater of:
- $10 million;
- three times the value of any benefit obtained through the misuse of information; or
- 10 per cent of a company’s annual domestic turnover.
- Provide the OAIC with new infringement notice powers, including new penalties of up to $63,000 for corporations and $12,600 for individuals for failure to cooperate with efforts to resolve minor breaches;
- Enable the OAIC to ensure breaches are addressed through third-party reviews, publish prominent notices about specific breaches and ensure those directly affected by breaches are advised;
- Require social media and online platforms to stop using or disclosing an individual’s personal information upon request; and
- Introduce specific rules to protect the personal information of children and other vulnerable groups.
The proposed changes would also see the OAIC be provided with an additional $25 million in funding over three years for resources it needs to monitor and enforce compliance with the Act.
What’s to come?
Legislation incorporating the proposed changes is expected to be drafted for consultation in the second half of 2019.
Organisations should view the Attorney-General’s Department’s announcement as the continued drive towards the protection of personal information, by creating significant deterrence through punishing organisations that do not comply with the Notifiable Data Breach Scheme (NDB Scheme) or do not adequately protect the privacy of individuals in Australia.
More broadly, the proposed changes evidence the continued expansion of penalty regimes across regulated areas under Australian law. The announcement follows closely behind the penalty reforms under the Corporations Act 2001 (Cth), which have seen a significant widening of civil and criminal penalty provisions and substantial increases in the amount of penalties that can be ordered. It is apparent from the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry, and the bipartisan support for its recommendations, that deterrence through regulatory enforcement action is considered a fundamental aspect to ensuring strong compliance. No doubt that sentiment is echoed in the drive for penalty reforms in the privacy law landscape.
With these proposed changes, there is also an element of Australian coming into line with international developments. The proposal for social media and online platforms to stop using or disclosing an individual’s personal information upon request seems to be a move in the direction of the EU’s General Data Protection Regulation (GDPR), which took effect in May 2018. Under the GDPR, consumers have a ‘right to be forgotten’, which is a right not presently existing under Australian law. A requirement for certain websites to cease using and disclosing personal information, as has been proposed, is certainly a step towards the GDPR on that front.
Organisations acting prudently will take steps to ensure that they have an incident response plan in place that contemplates how it will respond should it be subjected to a cyber attack or data breach. If an organisation suspects that a data breach has occurred, it should seek urgent legal advice to ensure compliance with the NDB Scheme. Norton Rose Fulbright can assist organisations with the preparation of incident response plans and with providing advice on the operation and compliance with the NDB Scheme.