The big stick: time to get serious about privacy

On 24 March 2019, the Attorney General, Christian Porter and the Minister for Communications and the Arts, Mitch Field, announced a new penalty and enforcement regime under the Privacy Act 1998 (Cth).¹

The new regime will result in the creation of a specific code for social media and online platforms which trade in personal information.²
 
The Office of the Australian Information Commissioner (OAIC) will also be given an extra $25 million of funding over the next three years to enable it to continue to oversee the privacy rules and take enforcement action for breaches of individuals privacy.³

The code will be created by a series of legislative amendments. Draft legislation is expected to be completed for public consultation in the second half of 2019 and will incorporate the findings of the Australian Competition and Consumer Commission’s current Digital Platforms Inquiry.⁴

The amendments are designed to improve transparency about data sharing and bring existing penalties and protections for the misuse of personal information in line with community expectations.⁵

New penalties foreshadowed

Under these amendments:

• The current maximum penalty for serious or repeated breaches for entities covered by the act (for example, social media and online platforms operating in Australia) will be increased from $2.1 million to whichever is greater of; $10 million, three times the value of any benefit obtained through the misuse of information, or 10% of a company’s annual domestic turnover; and
• Importantly, the OAIC is to be given new infringement notice powers with penalties of up to $63,000 for bodies corporate and $12,600 for individuals for a failure to cooperate with efforts to resolve minor breaches.⁶

The OAIC has welcomed these changes, commenting that:

The new system of infringement notices and other enforcement powers announced today will also allow us to send a clear message to regulated entities that privacy responsibilities must be taken seriously.⁷

Transparency and privacy

Under the amendments:

• current options available to the OAIC will be expanded to ensure that breaches are addressed through third-party reviews, prominent notices about specific breaches are published, and advising those directly affected by the breach at the first available opportunity;
• social media and online platforms will be required, upon request, to stop using or disclosing an individuals personal information; and
• specific rules will be introduced to protect the personal information of vulnerable groups and children.⁸

The OAIC will accordingly formulate guidelines on how these powers and penalties will be used by them in order to ensure that entities handle Australians’ personal information responsibly.⁹

Lavan comment

The changes referred to above demonstrate that the OAIC is now moving from providing information to entities in relation to breaches of the Australian privacy legislation to enforcing penalties for breaches.

It is now more important than ever to ensure that your organisation has taken all available steps to:

• make employees aware of privacy obligations to try and avert, as far as practicable, an inadvertent breach, or to avert a cyber attack;
• ensure that your IT system is as secure as practicable; and
• check that you have appropriate insurance cover in respect of a privacy breach of cyber attack. This may include the need to increase the level of your cover to meet the increased risk.

If you have any questions in relation to this article, please contact Iain Freeman or Lorraine Madden.