Data Protection & Privacy
As recently flagged by the Attorney General, the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (PA Bill) just introduced into the Australian Parliament includes a quantum leap in the maximum fine available for serious or repeated invasions of an individual's privacy (i.e. for serious or repeated breaches of the Privacy Act/Australian Privacy Principles - together the APPs) - but that is not all!
Even before the Attorney‑General's review into the Privacy Act (AG's Review) is completed and the amendments to be introduced into Parliament by the Government are announced (expected later this year), true to his word the Attorney‑General has included some very significant amendments to the APPs in the PA Bill. We expect the PA Bill will pass by the end of the year without much change and will have a significant impact on all organisations subject to the APPs.
Below we briefly highlight, of course subject to any changes made to the PA Bill as it passes through Parliament, the key (or most impactful) changes as we see them that will be brought about by the passing of the PA Bill:
The headline change, of course, is the minimum twenty five times increase in the current maximum penalty (i.e. of up to $2.2 million) for a serious invasion of privacy or repeated invasions of privacy up to the greater of:
The "breach turnover period" (on which revenue the 30% will be applied) is the greater of:
Note: This is not limited to 12 months revenue but, subject to when the contravention occurs (presumably only back to the date of the passing of the PA Bill) this could be 30% of revenue over the number of years for which the contravention continues – which could be a staggeringly large amount.
Reflecting the views of the OAIC in the recent Uber determination, the seemingly small amendment to section 5B(3) of the Privacy Act (deleting section 5B(3)(c)), effectively extends the reach of the APPs to all organisations and businesses that 'carry on business in Australia', whether or not they collect personal information directly from individuals in Australia. While we have previously commented on this in respect of the Uber determination, this brings the extraterritorial reach of the APPs more in line with the position under the GDPR/UK GDPR. This will be of significant concern to those offshore based organisations which, as third party vendors, provide services to Australian organisations which were, pre-Uber determination, not considered subject to the APPs. These organisations must now comply with the APPs much like offshore third party vendors are subject to the GDPR/UK GDPR.
Additional 'remedies' (or what can be required of organisations) have been given to the OAIC. In practice these will have a significant impact, whether the determination against the organisation arises from a complaint or as the result of an OAIC own motion investigation:
Clearly there is no longer anywhere to hide. Even if no one looks up the OAIC's website to determine what decisions have been made against an organisation, this publication requirement means the organisation itself must tell the 'world' of its privacy wrongdoing. In particular, this publication requirement may cause even further complications for listed companies which have continuous disclosure obligations.
The 'outsourcing' of the assurance/review has been used successfully as part of enforceable undertaking regime by the OAIC to date. This significantly expands the role for this and, we suspect, will be a constant feature of most determinations after the PA Bill is passed.
There are also a number of changes increasing the powers of the OAIC to request information and documents (and answers to questions) extending these beyond the organisation the subject of the relevant eligible data breach. That is, to any other entity that may have, in the OAIC's reasonable opinion, information or documents relating to the other organisation’s eligible data breach. Further, where there are two or more failures by an organisation to provide information or answers to questions asked by the OAIC in respect to eligible data breaches, then there is a new criminal offence provision where such behaviour shows a system of conduct or pattern of behaviour resulting in those failures.
Finally, the PA Bill formalises the sharing of information by and to the OAIC with other agencies and, in general, the OAIC's ability to disclose information it has obtained during its investigation or consideration of a complaint if such is in the public interest. We suspect the new disclosure right will be exercised where the OAIC feels that such is necessary to protect individuals or assist them to protect themselves from the relevant infringing conduct of an organisation.
Clearly these extraordinary (in the case of the proposed new maximum fines) and other significant changes should concern all organisations subject to the Australian privacy law (now including offshore service providers).
Given these changes in the PA Bill, the current publicity around the recent significant data breaches that seem to be an almost weekly occurrence and the expected uplift of the Privacy Act/APPs resulting from the AG's Review, now is the time to assess the status of your privacy and cyber security compliance and whether and what you need to do to uplift it to avoid being a 'headline' for being the first to have a significant fine imposed on you under the new regime.
Clyde & Co’s Cyber, Privacy and Technology Team has unparalleled and specialised expertise across the privacy, cyber, financial services information regulatory and broader technology practice areas. It also houses the largest dedicated and market leading privacy and cyber incident response practice across Australia and New Zealand.
The firm's tech, cyber and privacy practice provides end-to-end risk management solutions for clients. From advice, strategy, transactions, innovations, cyber and privacy pre-incident readiness, incident response and post-incident remediation through to regulatory investigations, dispute resolution, recoveries and third-party claims the team offer practical solutions focussed assistance and advice.