Business Insight

Australias massive new privacy penalties become law but will be clarified

coral arrows background

    What you need to know

    • Australia has passed legislation to introduce massive new privacy penalties – maximum penalties can now reach the greater of A$50m, three times the benefit of a contravention, or (where the benefit can't be determined) 30% of domestic turnover. 
    • New powers will make the privacy regulator better able to investigate, coordinate with other regulators, keep the public informed, and assess privacy compliance.  New information-gathering powers include a power to issue an infringement notice for a failure to provide information when required, with associated civil penalties and a criminal offence for systemic conduct or a pattern of behaviour resulting in multiple failures to comply. 
    • Australian privacy laws will apply to organisations doing business in Australia whether or not personal information is collected in Australia.  This creates significant uncertainty about how Australia's privacy laws will apply to multi-national businesses, and will impact business and data governance structures.
    • These reforms are only the first tranche of a comprehensive review of Australia's privacy laws for the digital era. The final report on the review will be delivered to the Government by the end of this year.
    • While we don't know when this report will be made public, issues raised by Senate committees provide pointers to likely areas of focus. Expect further clarification on how the massive new penalties will apply.

    What you need to do

    • Invest where it matters and be risk-informed – New penalties arrive in the context of ongoing cyber-security and tech skill shortages, technology budgets that are already stretched, expectations of a global economic slowdown and increasingly aggressive cyber threats. Organisations will need to make tough risk-informed investment decisions to appropriately prioritise security, resilience and harm reduction.
    • Paper-based compliance is a thing of the past – With massive new penalties and public accountability, organisations must actively manage privacy risks. This means having a detailed understanding of personal information dataflows through a corporation or company group, and undertaking Privacy Impact Assessments and audits to identify and mitigate privacy risks.
    • Invest in harm reduction – Cyber defence and resilience is only part of the puzzle – take steps to minimise the risk of harm in the event of a successful cyberattack by minimising the collection and retention of personal information, particularly more sensitive information that could put individuals at risk.  This should be an ongoing focus – continue to test what data needs to be collected and retained, and investigate digital identity verification and privacy enhancing technologies.
    • Understand and plan for financial exposure – Include the new penalties in organisational risk management strategies to help calibrate and reset the business case for cyber and privacy spend.
    • Revisit regulator engagement in incident response plans – Clarify information flows and decision-making protocols. Make sure you have the processes in place to assess and provide timely and accurate responses to requests for information from regulators.
    • Understand and address disclosure risks – Understand whether disclosures to regulators might breach confidentiality obligations to suppliers, customers and partners. Information required to be provided under law will have different consequences from that provided voluntarily. Consider negotiating changes to key contracts to allow greater transparency.

    Bigger penalties and new powers are here

    This is an update to our earlier publication: Big penalties and a more powerful Australian privacy regulator.

    In response to recent high-profile cybercrime incidents, the Australian Parliament has passed key privacy reforms under the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Cth):

    • The maximum penalty maximum for a serious or repeated interference with privacy is now the greater of A$50 million, three times the benefit of a contravention, or (where the benefit can't be determined) 30% of domestic turnover.
    • Australian privacy laws will now apply to organisations doing business in Australia, whether or not personal information is collected in Australia.
    • The Office of the Australian Information Commissioner (OAIC) will have a broader set of regulatory tools and information-gathering powers to work with.
    • Information-sharing will be improved within the OAIC and among regulators (including foreign regulators).

    The reforms are a clear message from the Australian Government that penalties for privacy breaches are not "simply the cost of doing business". The new penalties are intended to create incentives for strong data security safeguards.

    These reforms are only the beginning 

    The reforms have been rushed through in response to recent cyber incidents, and will be reconsidered as part of a broader review of the Privacy Act. The penalty regime won't fundamentally change, but there's ample room for clarification on when it will apply.

    The Senate has called on the Government to:

    • clarify key definitions, in particular the meaning of ‘serious’ and ‘repeated’ in relation to breaches;
    • develop a tiered penalty regime that could take into account less severe breaches, and that seeks to differentiate between companies that have acted with malice and those that have taken all reasonable steps but have fallen victim to a cyber attack; 
    • direct the Office of the Australian Information Commissioner to issue guidance material that addresses the application of penalties, and clarifies best practice for compliance with the regime; and 
    • consider the adequacy of current resourcing and staffing levels at both the Office of the Australian Information Commissioner and the Australian Cyber Security Centre.

    The Senate Legal and Constitutional Affairs Committee also highlighted for particular consideration:

    • data minimisation;
    • safe harbour mechanisms for compliant regulated entities; and
    • compensation for identifiable harms and civil actions (such as a statutory tort for serious invasions of privacy).

    These issues and more will be considered as part of the Government's broader review of the Privacy Act. The final report of the Attorney-General's Department is expected to be given to the Government by the end of the year, and the Attorney-General intends to progress reforms during the term of this Parliament.

    Massive new penalties – organisations should act fast

    The penalty for a serious or repeated breach of privacy has been increased to the greater of:

    • A$50 million; 
    • three times the value of any benefit obtained through the contravention; or
    • if the value of the benefit obtained cannot be determined, 30% of a company's domestic turnover in the "breach turnover period".

    The "breach turnover period" is 12 months or the duration of the contravention, whichever is longer. For longer term systemic breaches by larger organisations, this framework could lead to maximum penalties significantly higher than the A$50 million figure.

    While the increased penalty does not apply retrospectively to past acts or practices, it will apply to contraventions which are by their nature repeated or continuing.  To minimise risk, now is the time to audit and rectify privacy practices.

    The new penalty regime significantly exceeds both the current maximum of A$2.2 million and the penalty consulted on by the previous Government (the greater of A$10 million or three times the value of the benefit, or if the value cannot be determined 10% of domestic annual turnover).

    The A$50 million figure is significantly higher than the potential penalty of €20 million under the European Union General Data Protection Regulation (GDPR). While 30% of domestic turnover under Australian law appears significantly higher than the possible GDPR penalty of 4% of global revenue, the impact on companies doing more of their global business in Australia will be greater because the Australian penalty does not take into account global revenue.

    What is the "benefit" obtained from a data breach?

    The new privacy penalty reflects recent changes to competition and consumer law penalties, and imports the notion of receiving a "benefit" from that context.

    The Senate Legal and Constitutional Affairs Committee expressed concerns that calculating the penalty by reference to the "benefit" obtained, for example from a data breach, has the potential to lead to "perverse outcomes".

    The 30% of turnover limb of the penalty only applies where the value of benefit obtained through the misuse of the information cannot be determined.

    Where a corporation receives no benefit from an interference with privacy (eg where it suffers significant harm from a cyber attack) then the 30% of turnover limb might not apply. The benefit might be determinable by the court, but determined to be zero. The maximum penalty would therefore be the greater of A$50m and zero, disregarding a company's turnover entirely.

    As part of the broader privacy review we will likely see calls to clarify that where a company does not benefit from a misuse of information, a company's turnover will be taken into account.  If that approach is adopted, larger corporations would potentially see much higher maximum penalties.

    Should "serious" or "repeated" be defined?

    In the context of significantly higher penalties, various submissions and the Senate Legal and Constitutional Affairs Committee raised concerns that the terms "serious" and "repeated" are not defined in the legislation. The Government has accepted the committee recommendation to examine, as part of the broader privacy review, whether to define the terms "serious" and "repeated".

    The concept of a serious or repeated interference with privacy is part of Australia's existing privacy laws. The OAIC "Guide to privacy regulatory action" sets out the factors to be taken into account in interpreting the legislation, as well as the circumstances in which the OAIC is more likely to take action. Although this guidance is not set out in the legislation, it provides an interpretive framework and is likely to be taken into account when applying the regime.  

    Including definitions in the legislation will create a more stable and predictable regime, more easily understood from the text of the Act. However, this may come at the cost of reduced flexibility, as guidelines can be more easily adapted to address emerging challenges.

    A tiered penalty?

    In the face of potentially massive penalties, various submissions called for a system of tiered penalties, similar to the GDPR – so the highest penalties will apply to the most egregious of cases only, or will not unfairly impact smaller organisations and charities.

    The Attorney-General's Department is considering a "mid-tier" penalty that could apply for a breach of the Privacy Act that is not a serious or repeated interference with privacy. This appears to be an additional penalty for lesser offences, not a restriction on when the larger penalty would apply.

    As part of the broader review of the Privacy Act, the Government will consider a tiered approach to penalties – potentially linked to whether an organisation has taken reasonable steps to prevent or mitigate an interference with privacy. 

    Extraterritorial operation

    Australian privacy laws now apply to organisations "carrying on business" in Australia whether or not personal information is collected in Australia. 

    While this amendment is convenient for enforcing Australian privacy laws in a modern digital context, Australia's Privacy Act no longer expressly requires personal information governed by the Act to have any connection to Australia.

    The Government has accepted the committee's recommendation to examine, as part of its broader review of the Privacy Act, whether it is appropriate to provide for any additional Australian link requirement.

    This amendment brings significant uncertainty about the scope of Australia's privacy laws, and requires urgent clarification and guidance. Organisations looking to do business in Australia should carefully consider how they structure their business and data operations – for example, it may be possible to limit the impact of Australian privacy legislation by using a separate Australian subsidiary to handle Australian personal information. However, even with these structures, the OAIC has asserted that an offshore entity providing services to its Australian related entity may still be carrying on business in Australia and bound by Australian privacy laws. 

    A more capable, more active privacy regulator with an improved toolkit

    The OAIC will have new regulatory tools and flexibility that should, together with an ongoing focus on funding, see a more proactive regulator with capacity and capability to investigate and litigate more privacy incidents.

    The focus of the reforms are information gathering and sharing – for example, the regulator will now be able to issue infringement notices, without going to court, for a failure to give information when required. Depending on how the regulator approaches these new powers, we may see a significant change to pace and intensity of investigations and assessments, which could further strain organisations and cyber-security personnel working on recovering from cyber incidents.

    This expanded regulatory toolkit includes:

    • New infringement notices for failure to give information when required to do so, with associated civil penalties and a criminal penalty for systemic or pattern behaviour.
    • New information-gathering and assessment powers in relation to actual or suspected data breaches, or to conduct assessments of any kind.  This includes, for example the power to assess an entity's ability to comply with the Notifiable Data Breach scheme (not just whether an entity actually complied with the scheme).
    • Statements about contraventions – a respondent may be required to prepare, provide to complainants or publish a statement about the conduct that led to an interference with privacy.
    • Independent review – in addition to requiring a respondent to take steps to ensure infringing conduct is not repeated or continued, the Commissioner will have the power to require an independent and suitably qualified adviser to conduct a review and provide a report to the Commissioner.
    • Publishing information – the Commissioner have the express power to publish a final determination and information about a final assessment report, as well as publish other information that is in the public interest (such as an update on an investigation).
    • Information sharing with regulators – the OAIC and the Australian Communications and Media Authority will be able to better coordinate and share information with regulators and enforcement bodies, including foreign regulators.
    • Internal coordination – the OAIC will be able to coordinate its various internal functions better by sharing information, and by delegating Information Commissioner functions and powers to OAIC staff.

    What does this mean for you?

    These reforms emphasise the need for well thought out incident response plans, regulator engagement strategies and responsibilities, internal information flows, and decision making frameworks.

    Organisations will need to provide timely and accurate information to the regulator.  Keep in mind that broader rights to publish and share information may lead to early, assessments (that may be incorrect or incomplete) gaining a wider audience, so robust decision making and information controls are essential.

    While many of the changes may seem targeted at the "big end of town", a better funded regulator with an improved regulatory toolkit will have implications for a broad range of breaches, including less severe ones which the regulator might not have had the capacity or tools to focus on in the past.

    New powers to issue infringement notices for failure to provide information when required will see a dramatic shift in how the regulator investigates privacy concerns.  The reforms also set the stage for a regulator that takes a more proactive audit and compliance role before incidents occur, as well investigating and litigating after the event.

    In the face of significant new penalties, organisations should look not only to cyber defence and cyber resilience, but also reducing the potential harm to individuals should a cyber attack be successful. Organisations are already reviewing data collection and retention policies and where possible destroying or de-identifying personal information, particularly more sensitive information or information that could be used for identity fraud. 

    But these reviews should not be a one-off project.  Organisations need to continue to test and re-test what data needs to be collected and retained, and invest in high quality privacy impact assessments to help identify and mitigate privacy risks.

    Organisations are also investigating how privacy can be embedded in systems –adopting "privacy by design" principles, and investigating trusted digital identity frameworks and privacy enhancing technologies such as homomorphic encryption.

    Building security and privacy capability has never been more important. In all likelihood, we will see a range of reforms in the pipeline and a more proactive privacy regulator, and businesses operating in Australia will need the capability to adapt. This will be particularly challenging with a tough market for security and data privacy talent.

    Authors: John Macpherson (Director, Risk Advisory); Tim Brookes (Partner, Digital Economy Transactions), Amanda Ludlow (Partner, Digital Economy Transactions), Geoff McGrath (Senior Associate, Digital Economy Transactions) and Andrew Hilton (Expertise Counsel, Digital Economy Transactions).

    The Ashurst Group is global, and comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.

    Ashurst Risk Advisory Pty Ltd (ABN 74 996 309 133) provides services under the Ashurst Risk Advisory brand. The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.

    For more information about the Ashurst Group and the services offered, please visit www.ashurst.com.

    image

    A generational change in privacy regulation in Australia

    We draw on Ashurst's combined legal and risk advisory expertise to help organisations keep pace with the evolving Privacy Act reforms and the actions they can take to position themselves for success.

    Learn more about privacy reform in Australia

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.