The Privacy Commissioner’s Christmas present – new powers
Recent changes to the Privacy Act have increased the powers of the Privacy Commissioner to investigate potential breaches of privacy.
The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Amendment Act) grants additional powers to the Privacy Commissioner to investigate, and impose penalties for, breaches of privacy. These changes are aimed at ensuring the Commissioner can conduct investigations effectively and efficiently. We’ve previously looked at the changes to the penalties the Commissioner can impose for breaches of privacy. In this article we look at the changing powers of the Privacy Commissioner to obtain and use information, and what they mean for the enforcement of privacy law in Australia.
Information-gathering
The Amendment Act introduces new section 26WU into the Privacy Act. This provision grants the Privacy Commissioner the power to issue a notice requiring a person or entity to give information, produce documents or answer questions relating to matters relevant to an actual or suspected eligible data breach, or an entity's compliance with the requirements for it to assess and notify the Commissioner and affected individuals of an eligible data breach. This amendment increases the Commissioner's power to effectively investigate data breaches, assess the risks arising from data breaches, and ensure appropriate steps are taken to notify individuals that their privacy has been breached.
The Amendment Act also introduces a civil penalty provision, enabling the Commissioner to issue civil penalty proceedings or an infringement notice where a person refuses or fails to give information, answer a question or produce a document or record when required under the Privacy Act. This gives the Commissioner more timely and cost-efficient options to utilise in the event of a breach than had been the case, which required the prosecution of a person for a criminal offence.
Information-sharing
The Amendment Act expands the Commissioner's ability to share information with other enforcement bodies and regulators, and to receive information from other regulators.
The Amendment Act amends the Privacy Act to authorise the Commissioner to share information and documents with an enforcement body, an alternative complaint body, a State or Territory authority that has functions to protect the privacy of individuals, or an authority of the government of a foreign country that has such functions. These amendments will make it easier for the Privacy Commissioner to share information obtained through privacy investigations with other relevant authorities.
In addition to the changes it makes to the Privacy Act, the Amendment Act amends the Australian Communications and Media Authority Act 2005 (ACMA Act). The amendments to the ACMA Act enable ACMA to disclose information to a non-corporate Commonwealth entity that is responsible for enforcing one or more laws of the Commonwealth. These amendments will make it easier for the Privacy Commissioner to obtain information relevant to the exercise of her powers, such as information about the impact of a data breach.
What do these privacy changes mean?
Overall, the increased powers to gather and share information strengthen the ability of both the Privacy Commissioner and other regulators and enforcement bodies, such as ACMA, to protect privacy and investigate privacy breaches.
The Commissioner has stated that the new powers will be used consistently with the Commissioner's existing Guide to Privacy Regulatory Action and Privacy Regulatory Action Policy, indicating there will not be a significant change in the approach taken by the Commissioner. However, the OAIC's funding and resourcing allocations have also been increased, which is likely to enable the Commissioner to progress a larger number of investigations more quickly, and to use these new powers effectively.