Australia Increases Penalties With New Privacy Bill

On October 26, Australian Attorney General Mark Dreyfus presented the Australian parliament with the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, (Bill). If approved, the Bill will implement significant amendments to the Australian Privacy Act 1988.

According to statements by Dreyfus, these amendments are a result of “significant privacy breaches in recent weeks.” Reports state Australian leaders have been engaged in a long process of consultation on how to reform the country’s protections, but Dreyfus posits that changing the decades-old privacy legislation is necessary as “[i]t’s not enough for a penalty for a major data breach to be seen as the cost of doing business.” Instead, Australia needs “better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivize better behavior.”

The Bill contains several provisions which are a clear departure from the Australian Privacy Act 1988.

Applicability

Under the Australia’s Privacy Act 1988, overseas entities who a) carry on business in Australia and b) those who collect or hold personal information in Australia are subject to the country’s privacy legislation. This Bill amends this requirement by removing (b) from the list of covered entities. As such, if the Bill is enacted, only entities who carry on business in Australia, regardless of whether they collect or hold personal information in Australia will be covered by the country’s legislation.

“Carrying on business” is not defined in the Bill, so if the provisions are enacted as currently written, there will need to be further clarification of what this term actually means in practice.

Penalties

The current penalties assessed under the Australia’s Privacy Act 1988 for privacy breaches deemed to be serious or repeated would be increased from $2.22 million in AUS—which is about $1.4 million in United States dollars—to whichever of the following is greatest:

• $50 million AUS ($32 million US)

• Three times the value of any benefits gained through the misuse of information

• 30 percent of the company’s adjusted turnover for the period during which the violation occurred

The Bill has not been signed into law by the Australian government yet. It passed the House of Representatives without amendment on November 9, and was read for a second time on November 21.

Dreyfus’s statements reflected an optimistic view of this Bill’s passage as it is an “essential part of the Government’s agenda to ensure Australia’s privacy framework is able to respond to new challenges in the digital era.” However, it has been reported that some industry stakeholders are “pushing back” against the penalties provision of the Bill as fines are substantially higher than those currently assessed under the Australian Privacy Act 1988, as well as the draft legislations that were released in 2021. These concerns may delay the enactment of the Bill as it stands. With the current broad definition of a covered entity, it’s difficult to pinpoint which organizations need to take heed. For now, assume that anyone who conducts business in Australia should begin developing a plan to comply as more information about specific requirements becomes available.

* * * * * * *

To read our news alerts discussing: META fined, again, for GDPR violation, India’s latest Digital Personal Data Protection Bill facing criticism for going too far, the Health Care Sector Cybersecurity Coordination Center alert regarding a ransomware called Venus (GOODGAME), and Meta Pixel captures sensitive financial info from e-filing sites, click here.

This week’s breach report covers breaches of the following companies: Twitter, Community Health Network, WhatsApp, GameStop and Coinsquare. Click here to find out more.

Jody Westby hosts our podcast, ADCG on Privacy & Cybersecurity, bringing together leaders in the privacy and cybersecurity arenas to discuss a wide range of issues ranging from the proposed federal and state regulations to best practices and standards for compliance. Episodes can be enjoyed on many platforms including Spotify and Apple Podcasts. Don’t forget to subscribe!

Our most recently released episodes:

82 | A Look at the Consequences of the Uber and Twitter CISO Cases (with guest Ron Raether)

81 | Looking at Cyber Leadership & Costly Mistakes (with guests Rachel Briggs and Richard Brinson)

80 | Cyber Command: Its role in Cybersecurity and National Security (with guests Gary Corn and Jamil N. Jaffer

To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.