According to the Office of the Australian Information Commissioner (OAIC), a whopping 24 data breaches were reported that impacted 5,000 or more Australians in the year 2022 in Australia.
The OAIC reported that more than half of the breaches occurred due to malicious or criminal cyber-attacks. Against this backdrop, on 28th November 2022, Australia passed the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (“Amendment Bill’) and is now awaiting the Royal Assent.
The Amendment Bill prescribes harsh fines for organizations violating their privacy commitments in Australia as per the amended expanded scope of the Privacy Act 1988. This modification heralds a move toward stricter regulation and more severe penalties in an effort to discourage businesses from flouting the law and regulatory requirements. The Amendment Bill provides the following substantial changes to the Privacy Act 1988:
1. Enhanced Penalties
As per Section 13G of the Privacy Act, any act by an entity or person that causes “serious or even repeated interference” with an individual or a group of individuals' privacy is in contravention of the Privacy Act and is liable to a civil penalty.
Currently, the amount of civil penalty for “serious or repeated interferences with privacy” is AUD 2.22 million. However, now the Amendment Bill provides the following penalties for any serious or even repeated interference with privacy by a body corporate:
- 50,000,000 AUD;
- three times the value of any benefit obtained through the misuse of information; or
- 30% of a company's adjusted turnover in the breach turnover period.
The ‘adjusted turnover’ is calculated by taking a sum of the values of all the supplies that the company has made, or is likely to make, during the breach period. The breach turnover period means any time period longer than the following:
- the period of 12 months ending at the end of the month in which the violation (contravention) ceased, or proceedings in relation to the contravention was instituted (whichever is earlier); or
- The period:
- starting at the beginning of the month in which the contravention occurred or began occurring; and
- ending at the same time as the period determined under (1).
For unincorporated entities, the Amendment Bill has prescribed the penalty from the current maximum of AUD 440,000 to AUD 2.5 million.
2. Stricter Enforcement Powers
The Amendment Bill also amends the Australian Information Commissioner Act 2010 to provide the Office of the Australian Information Commissioner (OAIC) with enhanced enforcement powers. The Amendment Bill enhanced the following Commissioner’s powers, among others:
- Expanded the types of declarations that the Commissioner can make in a determination at the conclusion of an investigation;
- Amended the extraterritorial jurisdiction of the Privacy Act to ensure foreign organizations that carry on a business in Australia must meet the obligations under the Privacy Act, even if they do not collect or hold Australians’ information directly from a source in Australia (organizations will no longer be required to collect or hold personal information within Australia in order for the Privacy Act to apply.); and
- Strengthened the Notifiable Data Breaches scheme to ensure the Commissioner has comprehensive knowledge of the information compromised in an eligible data breach to assess the particular risk of harm to individuals.
With regards to the last point, the Amendment Bill provides that the Commissioner may obtain information or documents in relation to actual or suspected eligible data breaches. The Commissioner can also retain, keep or make copies of the documents provided by the person or entity. With regards to the determination of conduct that interferes with the privacy of an individual or group of individuals, the Commissioner can now require the person or entity to prepare and publish, or communicate, a statement about such conduct.
Sharing of Information with other Relevant Authorities and Public
In addition to this, as per the Amendment Bill, the Commissioner can also share information and the documents received with other relevant authorities for the performance of functions and duties.
The relevant authorities include enforcement, alternative tribunal, or a state or public level authority. The Commissioner will also be able to disclose the information if it is essential to the public interest after determining the rights and interests of the complainants, and whether such disclosure would impact an ongoing investigation or any other enforcement-related activity, etc.
The Amendment Bill also amends the Australian Communications and Media Authority (ACMA) Act 2005 to provide ACMA with enhanced information-sharing powers.
How Securiti Can Help?
The Amendment Bill provides significant changes to the privacy framework in Australia by adding stricter penalties for data breaches. Businesses operating in Australia should consider the added obligations to ensure full compliance with the Privacy Act’s Notifiable Data Breaches scheme.
Securiti harnesses AI to deliver organizations with an automated breach management system that enables them to seamlessly gather incident reports, identify the scope of the incident, and optimize notification for risk mitigation and compliance with the Privacy Act.
Request a demo to learn more.