In brief

In another change to the continually evolving Australian privacy legislative landscape, proposed changes to the Privacy Act have been announced. The changes seek to increase the powers of the OAIC and substantially increase penalties for privacy breaches. Whether this is the first step away from the current educational approach to privacy compliance taken by the OAIC as opposed to the punitive approach taken by overseas regulators is yet to be seen. However, the importance of ensuring privacy compliance in light of the proposed increased penalties is paramount.

What you need to know

In another change to the continually evolving Australian privacy legislative landscape, proposed changes to the Privacy Act have been announced. The changes seek to increase the powers of the OAIC and substantially increase penalties for privacy breaches. Whether this is the first step away from the current educational approach to privacy compliance taken by the OAIC as opposed to the punitive approach taken by overseas regulators is yet to be seen. However, the importance of ensuring privacy compliance in light of the proposed increased penalties is paramount.

Will the OAIC use their increased powers?

If the new laws are passed, is the OAIC going to utilise their new powers when they haven’t previously?

The last few years have already seen major changes to the Australian privacy legislative landscape, with the implementation of the Australian Privacy Principles in 2014, the Notifiable Data Breach scheme in 2018, and other recent Government initiatives including the Consumer Data Right.

In making sense of the Australian privacy legislative landscape and the most recent proposed amendments to the Privacy Act, it is important to reflect on the comments made by ACCC Chairman Rod Sims in relation to privacy issues that: ‘data is not unique to Google and Facebook’.

Those comments are significant because, up to this point, they reflect the OAIC’s approach to privacy compliance, which has primarily focused on educating all potentially-affected organisations, rather than penalising, and making an example of, a select few behemoths with large pockets.

If the OAIC was to now up the ante, it would follow the approach by regulators in the EU, who have used their broad powers under the General Data Protection Regulation (GDPR) to penalise large technology companies, notably including a massive 50 million euro fine issued to Google in January 2019.

What you need to do

Regardless or not whether the OAIC utilises their increased powers to their fullest extent, affected organisations must remain alert when it comes to legislative privacy compliance. We recommend affected organisations.

About the Author

Marcus Memmolo

Associate
With in-house legal experience and the ability to provide clear, non-legalistic explanations, Marcus is a talented lawyer with a strong focus on technology, IP, privacy and cyber security related law.

Related News

Should we be worried? The impact of the Google GDPR decision for Australian companies

Google has been fined €50 million by the French data protection agency, Commission Nationale de l’Informatique et des Liberts (CNIL). Whilst the penalty likely caused more than a sharp intake of breath from Google executives, it would have also caused...
14 May, 2019

I didn’t use the BCC email function – have I just breached privacy laws?

Sent a mass email and didn’t BCC all recipients? You could be breaching data breach notification laws.
7 February, 2019