Background triangle
Limebite 11/22

Enhanced regulator powers and higher penalties following major cyber incidents – The start of a cyber reform wave?

Nitesh PatelKaye Lai
Authors (from left):
Nitesh Patel, Kaye Lai, Linda Zeng

Following major data breach incidents that impacted Optus, Medibank and MyDeal in swift succession, the Australian government has moved quickly to introduce to Parliament a bill that, among other things, aims to enhance the privacy regulator’s powers and increase penalties under the Privacy Act 1988 (Cth) (Privacy Act).

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) was introduced to the House of Representatives on 26 October 2022 and its progression towards enactment is expected to be fast tracked.

Submissions about the Bill can be made until 7 November 2022.

Key proposed amendments in the Bill aim to:

  • increase penalties for serious or repeated interferences with privacy under the Privacy Act;
  • provide the Office of Australian Information Commissioner (OAIC) with enhanced investigative and enforcement powers;
  • provide the OAIC and the Australian Communications and Media Authority (ACMA) with new information sharing powers; and
  • ‘clarify’ the extra-territorial application of the Privacy Act.

While the increased maximum penalties may be the most eye-catching amendment, its practical impact is likely to be overshadowed by the new powers to be afforded to the OAIC.

Increased penalties

If the Bill is enacted, the maximum penalty for serious or repeated interferences with privacy will increase to:

  • $2.5M for non-body corporates; and
  • for a body corporate, the greater of:
    • $50M;
    • 3 times the value of the benefit obtained by the serious or repeated interference; or
    • 30% of the body corporate’s adjusted turnover for the relevant breach period.

Such penalties are consistent with the increased penalties proposed for contraventions of the Australian Consumer Law.

It remains to be seen what impact these increased penalties, if brought into force, will have as there are currently no proposed amendments as to how they might be imposed. This has in practice been a significant impediment. However, recently announced further funding for the OAIC could assist the regulator try to impose the larger penalties in suitable cases more regularly.

Enhanced powers

If the Bill is enacted, the OAIC will be armed with a range of enhanced investigative and enforcement powers, including:

  • the ability to require a person or entity to provide information and documents about an actual or suspected data breach to assist with investigations;
  • the power to disclose information if it is in the public interest to do so;
  • the power to assess the ability of entities to comply obligations under the Privacy Act and the Australian Privacy Principles, including breach assessment and notification obligations (and make relevant requests for information or documents during the assessment);
  • New determination powers to order an entity to:
    • take steps to ensure privacy interferences are not repeated;
    • engage an independent advisor to conduct a review of the entity’s practices and provide a copy of the review to the Commissioner;
    • prepare and publish a statement about particular conduct;
  • the ability to issue infringement notices for penalties of up to 300 units or $66,600 for failures to comply with OAIC notices.

With these proposed new powers, the OAIC will have a broader range of tools at its disposal to investigate data breaches and the ability of businesses to comply with the Privacy Act.

The OAIC will also have a greater ability to enforce compliance with the Privacy Act, including breach assessment and notification obligations, and penalise businesses who fail to cooperate with the regulator.

Privacy Act extra territoriality

If the Bill is enacted, the extra-territorial application of the Privacy Act will be clarified to apply to all businesses (including overseas businesses) that simply carry-on business in Australia. Previously, businesses also needed to collect or hold personal information in Australia for the Act to apply to that entity. The Bill will remove that requirement.

The Bill also clarifies that the Privacy Act applies to the acts of these businesses that occur outside of Australia.

The clarification comes in response to attempts by overseas entities to assert that the Privacy Act did not apply to them or certain actions by them on account of the information involved not being collected or held in Australia.

Information sharing

New information sharing powers have been proposed, which, if enacted, will allow the OAIC to share information with enforcement and alternative complaint bodies as well as State, Territory, or foreign authorities. This is intended to aid concurrent investigations by separate government bodies.

ACMA will also be given the ability to share information to non-corporate Commonwealth entities if it will assist the government authority to perform or exercise any of its functions of powers.

Looking forward

The changes proposed under the Bill if (or more likely, once)will give the OAIC greater scope to take a harder stance on addressing the aftermath of the large-scale cyber-attacks and on businesses who are not in a position to comply with their obligations. This is particularly given the increased funding to be afforded to the regulator.

However, these changes are very likely the first wave of significant further amendments to privacy, data breach and cyber-crime legislation to be introduce over the next year or so.

We expect the amendments will broaden the application of privacy laws (both in terms of the type of data involved and the range of businesses that need to comply), enhance data security, privacy and breach notification obligations and introduce a direct right of action for individuals affected by data breaches.

Given the impending wave of enhanced regulations and the recognition that cyber risk is a major risk, businesses need to prioritise identifying and complying with their privacy, data security and cyber obligations if they are not already.

If you need help to gauge your compliance with privacy, data security and cyber obligations, improve your cyber resilience or deal with a cyber incident, Gilchrist Connell can assist with a range of services and expertise.

This publication constitutes a summary of the information of the subject matter covered. This information is not intended to be nor should it be relied upon as legal or any other type of professional advice. For further information in relation to this subject matter please contact the author.