Data Laws update: why businesses need to start thinking about privacy

In November 2022, the Government endorsed and passed a new bill that introduced tougher privacy laws following the Optus and Medibank data breaches which exposed the private details of millions of people.

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 amends the Privacy Act (1988), the Australian Information Commissioner Act (2010) and the Australian Communications and Media Authority Act (2005). The intention of this bill is to put privacy front and centre. Under this new bill:

• There are tougher penalties for both individuals and businesses
• The Office of Australian Information Commissioner (OAIC) has greater authority and enforcement powers.
• The OAIC and Australian Communications and Media Authority have greater informational sharing powers.

But what does this mean for businesses that collect customer information?

Small Businesses Need to Start Thinking About Privacy

Within the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, there was the removal of a small business exemption. Prior to this bill, businesses with less than $3 million in annual turnover were exempt from reporting privacy breaches and being held responsible for misuse of data.

Businesses that collect personal information will now need to ensure the information is necessary and is directly related to one or more of the business’s functions. Additionally, they will need to report how they store, update and disclose personal information within their company. It will force all businesses to review their privacy policy and cyber security policies and measures to ensure they are not vulnerable or at risk.

Under current Australian Privacy Principle requirements, businesses can only collect and use personal information if required by law or necessary to verify an individual’s identity. They also must destroy or de-identify personal data and take reasonable action to protect personal and sensitive information from misuse, hacks or disclosure.

There will be Tougher Penalties

The Privacy Legislation Amendment 2022 affects Section 13G of the Privacy Act (1988) and increases the penalties for serious or repeated interferences of privacy for both individuals and body corporates (businesses).

• For individuals, the maximum penalty has increased to a $2.5 million fine.
• For body corporates, the maximum penalty will increase to whichever is greater

1. 1. an amount not exceeding $50 million
   2. three times the value of the benefit obtained
   3. or if the value cannot be determined 30% of the adjusted turnover during the affected period.

• Additionally, a separate criminal penalty has been created for body corporates who engage in behaviours that can be considered a pattern that unlawfully interferes with privacy.

The increase in penalties is to act as a deterrent for individuals and body corporates as previous penalties were considered too soft for such an impactful matter. It is also designed to incentivise businesses to improve corporate cyber compliance by investing in cyber security measures and policies

Greater Enforcement Powers

The OAIC has also been given greater enforcement powers to resolve privacy matters more efficiently. With this new power, the Commissioner can issue infringement notices to body corporates for failing to answer questions, give information or produce records or documents regarding their privacy breach.

It also extends their existing power. Now, the OAIC will be able to:

• declare the respondent take specified steps to ensure the conduct constituting an interference with privacy is not repeated or continued.
• Require the respondent to engage an independent and suitably qualified advisor to assist in the implementation of the data breach response plan
• Require the respondent to prepare and/or publish a statement about the conduct that led to the interference with privacy.

This promotes privacy as individuals and body corporates will look to handle information with care and due diligence. It also strengthens the Notifiable Data Breach scheme to ensure the Commissioner has comprehensive knowledge of the information compromised to assess the particular risk of harm to individuals.

Sharing of Information

Following the two data breaches, it was recognised that there were some barriers between the OAIC and ACMA that impacted the efficiency and result of enforcing the Privacy Act (1988).

To remedy this the Privacy Legislation Amendment 2022 facilitates better cooperation between the OAIC, ACMA and other regulatory authorities by allowing the Commissioner to share information provided that it is reasonable, necessary and proportionate to do so. It is limited to these five restrictions to ensure and promote privacy:

1. The Commissioner can only share information for the purposes of the Commissioner’s, or the receiving body’s, exercise of powers or performance of functions and duties
2. the information or documents must have been acquired by the Commissioner in the course of exercising powers, or performing functions or duties, under the Privacy Act
3. the Commissioner must also be satisfied on reasonable grounds that the receiving authority has satisfactory arrangements for maintaining security of the information or documents
4. where the Commissioner has obtained information or documents from an Australian Government agency, the Commissioner may only share those documents with an Australian Government agency, and
5. further, if the information is shared with a receiving body under this section, the receiving body may use the information only for the purposes for which it was shared.

Extraterritorial Jurisdiction

The Privacy Amendment also clarifies how the Australian government will handle international companies which hold Australian data. Now foreign organisations that “carry on a business in Australia must meet the obligations under the Act, even if they do not collect or hold Australians’ information from a source in Australia”. This amendment mirrors provisions of the Australia Consumer Law Consumer and Competitor Act 2010 and is designed to better protect our digital identities by holding platforms accountable for leaks and misuse of personal information provided.

Is my privacy policy up to date?

With the new amendments to the Privacy Act (1988) the best way to ensure your privacy policy and cybersecurity policies are up to date is to talk to our experienced Corporate & Commercial team who will be able to provide a tailored approach to ensuring your business is compliant with all new regulations. To obtain advice or arrange a meeting, give us a call or fill out the enquiry form.