By Rohan Vasudevan, Solicitor
24 January 2023
At the end of 2022 we saw numerous prominent companies in Australia experience significant data leaks and hacking events, with affected Australians now counted in the millions. Companies like Optus and Medibank Private that suffered these data breaches are still reeling from the events and many businesses began to look inwards at their own policies and procedures in an attempt to avoid future cybersecurity disasters.
It is no coincidence, then, that the Australian Government has turned a magnifying glass onto Australia’s privacy laws, leading to some significant updates and changes, including long overdue amendments to the Privacy Act 1988 (Cth) (the “Privacy Act”). The recent passing of the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (the “Privacy Amendment Act”) introduced many changes to Australian privacy laws including increasing the maximum penalties that can be issued and expanding the powers of our privacy regulator, the Office of the Australian Information Commissioner (OAIC).
What is changing?
The Privacy Amendment Act came into force on 13 December 2022 and contains some of the most significant changes to Australian privacy laws since 2018 – a near lifetime in technology years.
One such change that has been implemented is the new exterritorial application of the Privacy Act. That is, previously the Privacy Act and Australian Privacy Principles (the “APP”) only applied to entities that were based overseas if they had an annual turnover of $3 million or above and there was an “Australian link”. An “Australian link” was established if an organisation: (1) carries on business in Australia; and (2) collects or holds personal information in Australia or an external Territory. The Privacy Amendment Act removes the second limb of the “Australian link” test, essentially meaning that so long as an organisation carries out business in Australia, and has an annual turnover of $3 million or more, it will be within the purview of the Privacy Act as an APP entity and therefore must abide by Australian privacy laws. The OAIC has outlined that this significant change aims to mitigate overseas companies avoiding complying with Australian privacy laws simply by being based abroad.
Upping the Fines
Perhaps the most major change covered by the Privacy Amendment Act is the significant increases to the maximum penalties for serious or repeated privacy breaches. Previously, the maximum penalty was $2.1 million, but this has been increased to whichever is the greater of: $50 million; three times the value of any benefit obtained through the misuse of information; or 30% of a company’s adjusted turnover during the breach period. This type of penalty is more in line with recent changes to the competition law and corporations law, and far more accurately reflects the seriousness and importance of privacy compliance in a modern economy. The Australian Government has outlined that the significant increases in fines for data breaches aim to make it clear to companies that cybersecurity should be a major priority, both throughout a business and at the corporate level for large and small corporations. Simply, remediation or other costs associated with dealing with data leaks (where the direct victims are almost exclusively innocent individuals and not the companies themselves) should not simply be regarded as a cost of doing business. Furthermore, the changes appear to ensure that companies have up-to-date data and privacy policies to prevent the cascading effects of data breaches that many of us witnessed last year.
Naming and Shaming
In addition to increasing maximum penalties, the Privacy Amendment Act also enhances the enforcement and information gathering powers of the OAIC. Specifically, after investigating a complaint, the OAIC can now make a declaration that includes requiring an APP entity to prepare and publish or otherwise communicate a statement about their conduct. Other notable changes codified in the Privacy Amendment Act include the fact that the OAIC is given the power to require that an entity undertake an independent review of the practices that were subject to a complaint and review the steps that were taken by that entity (if any).
Furthermore, the OAIC has been given significant powers with regards to sharing information including the ability to share information with enforcement bodies, State/Territory authorities and/or foreign privacy authorities. There are also new provisions allowing the Commissioner to now disclose (publicly) information acquired in specific instances thereby publicising specific behaviour (likely resulting in damage to a brand’s reputation), i.e. to “name and shame”.
What does it all mean?
In short, the changes within the Privacy Amendment Act show that the Australian Government has a keen focus on the laws surrounding privacy, cybersecurity and data protection, with more changes slated to occur later this year and/or early 2024. While the reforms offer more robust safeguards to protect the public against data leaks, some businesses have outlined that the changes will have unintended consequence, especially with regards to the new extraterritorial aspects of the Privacy Act.
However, the changes to the law reflect an acceptance of the importance of privacy and indicates that the cybersecurity sphere is being monitored by both the public and private sector. That is, it is clear that data protection and cybersecurity can no longer be an ‘afterthought’ meaning companies will need to ensure that they have up-to-date data policies in this regard else risk being caught out.
It is a very good time for agencies and brands to consider some specific questions, including:
- What personal information do we collect, as compared with how much personal information do we actually need to do our work? Does any strategic value we may gain from collecting all of this personal information actually start to get outweighed by the cost of increased compliance, and/or the risk of a massive fine if we fail to properly secure the information from third party attack? In other words… should we stop collecting so much information?
- As an agency, do we collect personal information and store it on behalf of our clients? If so, why? Do we have to? Is it part of our direct service, or have we just started doing it? Are we aware of our obligations and our exposure as a result?
- As a brand or an agency, are we confident that our service providers (such as our own suppliers, sub-contractors, etc) are aware of the seriousness of their obligations?
- What is our exposure under contract for breaches of privacy legislation? For instance, is our liability capped in our services agreement? If not, and especially if we are not insured, are we able to withstand a fine at the level the OAIC may issue against us for non-compliance?
- Do we have cyber insurance?
- Should we adjust our corporate policy with respect to taking on personal information and then, if we do take it on, how long we keep it, how we store it, etc?