The latest development in Australia’s ongoing revision of its dated Privacy Act is Parliament’s approval of a major increase in the maximum allowable fine amounts for privacy breaches. Organizations found to be responsible for a data breach now face a maximum penalty of AUD 50 million, 30% of adjusted annual domestic turnover, or three times the value of any benefit obtained through the misuse of the leaked information.
Maximum Penalty for Privacy Breaches Skyrockets
The prior Privacy Act terms allowed for only a maximum penalty of AUD 2.22 million, making this a drastic change in Australia’s regulatory landscape. The swift and dramatic movement was prompted in no small part by a string of major privacy breaches in the country dating back to September, in which mass amounts of government ID and health information were leaked to the dark web as major organizations were caught lacking in their cybersecurity by ransomware gangs.
The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 also grants the Australian Information Commissioner (OAIC) and the Australian Communications and Media Authority some new powers and abilities as regards notification and resolution of privacy breaches. The OAIC must now be furnished with more information, can now more directly intervene in settling cases, and both agencies have increased powers to share information with potentially impacted end users.
The new penalties are not immediately in effect, however; updates to the Privacy Act are subject to a review by the Attorney-General’s Department, which remains ongoing, and the fines will go into effect the day after Royal Assent is established. Realistically, this will likely be sometime in 2023 when a more comprehensive overhaul of the entirety of the existing Privacy Act is expected to be rolled out.
Australian Information Commissioner and Privacy Commissioner Angelene Falk said that the changes were also meant to bring Australia’s law closer in line with that of Europe’s General Data Protection Regulation (GDPR). Relative parity has been a theme that has been pursued during the now years-long discussions over the Privacy Act revision, and an element that big tech firms have registered their objections to.
Government Indicates it Will Pursue Privacy Breaches Aggressively
One key difference between the GDPR and the ultimate form of the revised Privacy Act will be the Australian national government’s ability to act more directly and decisively in cases of privacy breaches caused by negligence. The EU rules usually require all members of the bloc to weigh in on the ultimate penalty, and funnels investigations through the country that the defendant organization is based in (usually Ireland for the very large tech firms). This has caused delays of months, sometimes years, in resolving complaints. Commissioner Falk has stressed simplicity of certain provisions to preclude organizations from using legal maneuvering to avoid fines, such as basing the business outside the country.
That fine process differs from the GDPR, which sets 4% of annual global turnover as its maximum penalty. In Australia, fines for privacy breaches will first face a calculation of the monetary benefit value of the information that was compromised. The fine is capped at AUD 50 million if the ultimate determination exceeds that. The 30% of adjusted turnover only comes into play if the court is unable to arrive at an estimate of the monetary value of the data in question, but also cannot exceed AUD 50 million as a maximum.
The review of the Privacy Act 1988 began near the end of 2019. The onset of the Covid-19 pandemic shortly after no doubt contributed to slowing down the process, but there has also been a considerable amount of the sort of wrangling over terms that would be expected (particularly the organized resistance from big tech firms). The recent wave of privacy breaches at companies such as Medibank and Optus, each incident leaking millions of customer records to the dark web, seems to have given the process a shot in the arm. There is no fixed date for the full completion of the review and implementation of new measures, but most of the key terms are widely expected to be put in place sometime in 2023.
The Privacy Act has not gone unaddressed since it went into effect at the start of 1989, but updates have been sporadic and largely in the form of bolted-on amendments and bills that address specific issues. The terms only applied to national and local government agencies and credit reporting bureaus for the first decade of its existence. The Office of the Privacy Commissioner was established in 2000, terms were expanded to cover private sector organizations in 2001, the OAIC was established in 2010, and the credit reporting industry was targeted with significant reforms in 2014. Comprehensive data breach notification requirements did not emerge until 2018.