In another change to the continually evolving Australian privacy legislative landscape, proposed changes to the Privacy Act have been announced. The changes seek to increase the powers of the OAIC and substantially increase penalties for privacy breaches. Whether this is the first step away from the current educational approach to privacy compliance taken by the OAIC as opposed to the punitive approach taken by overseas regulators is yet to be seen. However, the importance of ensuring privacy compliance in light of the proposed increased penalties is paramount.
What you need to know
On 25 March 2019, the Government threatened to ‘punish those firms and platforms who defy our norms and values’ in announcing a number of proposed amendments to the Privacy Act 1988 (Cth) (Privacy Act), including:
- increased penalties for all entities covered by the Privacy Act, from the current maximum penalty of $2.1 million for serious or repeated breaches to $10 million or three times the value of any benefit obtained through the misuse of information or 10% of a company’s annual domestic turnover – whichever is the greater;
- new infringement notice powers for the Office of the Australian Information Commissioner (OAIC) backed by new penalties of up to $63,000 for bodies corporate and $12,600 for individuals for failure to cooperate with efforts to resolve minor breaches;
- power for the OAIC to publish prominent notices about specific breaches and ensure those directly affected are advised;
- a requirement for social media and online platforms to stop using or disclosing an individual’s personal information upon request; and
- a resulting code for social media and online platforms which trade in personal information.
Will the OAIC use their increased powers?
If the new laws are passed, is the OAIC going to utilise their new powers when they haven’t previously?
The last few years have already seen major changes to the Australian privacy legislative landscape, with the implementation of the Australian Privacy Principles in 2014, the Notifiable Data Breach scheme in 2018, and other recent Government initiatives including the Consumer Data Right.
In making sense of the Australian privacy legislative landscape and the most recent proposed amendments to the Privacy Act, it is important to reflect on the comments made by ACCC Chairman Rod Sims in relation to privacy issues that: ‘data is not unique to Google and Facebook’.
Those comments are significant because, up to this point, they reflect the OAIC’s approach to privacy compliance, which has primarily focused on educating all potentially-affected organisations, rather than penalising, and making an example of, a select few behemoths with large pockets.
If the OAIC was to now up the ante, it would follow the approach by regulators in the EU, who have used their broad powers under the General Data Protection Regulation (GDPR) to penalise large technology companies, notably including a massive 50 million euro fine issued to Google in January 2019.
What you need to do
Regardless or not whether the OAIC utilises their increased powers to their fullest extent, affected organisations must remain alert when it comes to legislative privacy compliance. We recommend affected organisations:
Continue to monitor legislative and regulatory changes to the Australian privacy landscape. There have been a number of recent initiatives in relation to personal data including the Online Safety Charter, Online Safety Research Program and the ACCC’s upcoming final Digital Platforms Inquiry Report which is due to be published in June 2019. Organisations need to be aware which laws apply to their operations.
Review the types of personal information the organisation collects, uses and discloses, and the purposes for such collection, use and disclosure. Does the organisation manage personal information and data breaches in accordance with the Privacy Act? Ensure policies and procedures are reviewed and updated accordingly.
Ensure adequate awareness and training is implemented at all levels of the organisation. Review the mechanisms that are in place (from both human and technical standpoints) in order to protect personal information and data more broadly.
Affected organisations cannot afford to adopt a ‘wait and see’ approach as to whether the OAIC will crack down on non-compliance following the proposed changes to the Privacy Act. We recommend organisations be proactive in their understanding of the risks in relation to collecting, using and disclosing personal information, including appropriately and swiftly responding to any changes in the Australian privacy legislative landscape as they are announced.