Expect tougher penalties for privacy breaches from an OAIC with more funding and more powers

We cautioned earlier this year that organisations can expect to see the Office of the Australian Information Commissioner (OAIC) take a more active approach to compliance with the Notifiable Data Breaches Scheme and enforcement of the Privacy Act 1988 (Cth) more generally.

The Federal Government now appears set to give the OAIC additional tools to pursue this enforcement approach.

In a joint statement, the Commonwealth Attorney-General and the Minister for Communications announced plans to better fund the OAIC to the tune of $25 million over three years and to amend the Privacy Act so as to provide a new regime of increased penalties for privacy breaches which better align with "community expectations".

The new legislation will be drafted for consultation in the second half of 2019. The main amendments proposed include:

• an increase to the maximum penalties payable by entities subject to the Act to the higher of:
  • $10 million for serious or repeated breaches (up from $2.1 million); or
  • three times the value of any benefit obtained through the breach and misuse of personal information; or
  • 10% of the entity's annual domestic turnover;
• giving the OAIC the power to issue infringement notices of up to $63,000 for bodies corporate and $12,600 for individuals;
• expanding other avenues for the OAIC to respond to breaches of the Privacy Act, including third-party reviews, the prominent publication of notices, and alerting individuals who are directly affected;
• requiring social media and online platforms to take reasonable actions to cease using or disclosing an individual’s personal information upon request by that individual; and
• introducing stronger, specific rules to protect the personal information of children and other vulnerable groups – although we don't yet know the exact nature of these rules.

It is envisaged that these proposed amendments to the Privacy Act will be accompanied by a new Social Media Code of Conduct for online platforms, which will impose stricter requirements for obtaining consent from individuals for collection of their data, and greater transparency of data-sharing arrangements.

The increased penalties will bring the Privacy Act into line with the penalty provisions in the upcoming consumer data right regime, and will be the latest step in the shift of Australia's privacy laws towards the EU's General Data Protection Regulation, or GDPR.

The OAIC has strongly indorsed these proposed amendments, stating that they are crucial to the digital economy, and will increase public confidence. With respect to its increased enforcement powers, the OAIC stated that the "new system of infringement notices and other enforcement powers announced … will … allow us to send a clear message to regulated entities that privacy responsibilities must be taken seriously."

With all key decision-makers in the privacy space now repeatedly sending messages of warning of tighter regulation and tougher penalties, it is clear their advice (and ours) to take privacy seriously should be followed.

Related Insights

• We have been warned: tighter policing of the Notifiable Data Breaches Scheme in the wake of the Banking Royal Commission