The 3 Penalties of Australia’s New Privacy Bill Corporations Need to Know About

DATE PUBLISHED: December 13, 2022

key takeaways

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 aims to strengthen Australia's privacy protection by increasing penalties for data breaches, expanding the OAIC's information-sharing powers and its enforcement, and allowing extraterritorial application of Australia's Privacy Act.
The increased penalties will be whichever of the following is the highest: $50 million, three times of any direct or indirectly benefit obtained attributed to the breach, or 30% of the adjusted turnover of the body corporate during the breach turnover period.

Following recent cyber-attacks on two of Australia's largest corporations,[1] the Australian Parliament has approved the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Bill).[2]

The Bill attempts to enhance Australia's privacy protection by:

Increasing penalties for serious and repeated data breaches;
Expanding enforcement and information-sharing powers of the Office of the Australian Information Commissioner (OAIC); and
Allowing extraterritorial application of the Privacy Act 1988 (Cth) (the Act).

What are the increased penalties?

For non-corporate entities, the maximum penalty that may be imposed for a serious or repeated privacy breach has increased from $444,000 to $2.22 million. For entities like Optus and Medibank, the maximum penalty that may be imposed has increased from $2.5 million to either of the following (whichever is highest):

$50 million;
Three times the value of any benefit obtained, directly or indirectly, and that is reasonably attributed to the privacy breach; or
30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention.

The significantly increased penalties aim to incentivise companies to comply with their privacy obligations whilst also bringing Australian privacy law more in line with international penalties under the European General Data Protection Regulation.[3] It provides a much bigger stick than the OAIC had.

How have the OAIC's powers increased?

With respect to the OAIC's increased powers, one of the key takeaways includes the OAIC's enhanced information-gathering powers, such as:

The power to conduct assessments of an organisation's compliance with Privacy obligations;
The power to obtain information or documents in relation to an actual or suspected eligible data breach; and
The power to share information with other authorities and disclose information where it is in the public interest to do so.

Furthermore, international organisations that carry on businesses in Australia will also be captured by the Act. This is due to the removal of the requirement for an organisation to collect or hold personal information in Australia, which was previously required for the Act to apply. Australian Information Commissioner and Privacy Commissioner, Angele Falk, said this was to "mitigate against overseas companies avoiding the jurisdiction based on complex structural and technical matters".

[1] https://www.austrac.gov.au/optus-data-breach-working-our-reporting-entities

[2] https://www.oaic.gov.au/updates/news-and-media/oaic-welcomes-passing-of-privacy-bill

[3] https://www.oaic.gov.au/updates/news-and-media/oaic-welcomes-passing-of-privacy-bill

conclusion

The Bill provides harsher penalties for breaching privacy protection and enhanced investigative powers. Will this matter? The hacks and breaches of Optus and Medibank, respectively, have demonstrated that even the largest companies with significant resources are vulnerable to privacy breaches.

GET IN TOUCH WITH US!

if you have any questions concerning privacy and your obligations, please fill out the enquiry form below and mention this article for an obligation-free appointment.

ENQUIRE NOW