Privacy Act Review: We have a Privacy Bill, but some promised reforms will have to wait

Following high profile data breaches in Australia, the privacy reform which has been in the works for years has been brought forward – partially.

The cost of this expedited bill has been the omission of a number of key reforms recommended in 2017 by the Productivity Commission.

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Privacy Bill) introduced to Parliament on 26 October 2022 increases enforcement powers and possible fines for interferences with privacy, and strengthens the Notifiable Data Breach Scheme (NDB Scheme).

What we do have

The Privacy Bill includes:

  1. Increased penalties for serious or repeated interferences with privacy.
  2. Greater enforcement powers for the Office of the Australian Information Commissioner (OAIC).
  3. Increased information gathering requirements under the NDB Scheme.

Increased penalties

The penalty for serious or repeated interferences with privacy have been increased to an amount not exceeding the greater of:

  • $50 million; or
  • three times the value of the benefit obtained; or
  • if the court cannot determine the value of the benefit, 30% of the organisation’s adjusted turnover in the relevant period.

For context, the current maximum penalty is $2.2 million.

Greater enforcement powers

These include:

  • expanding the extraterritorial jurisdiction of the Privacy Act by removing the requirement for an “Australian link” – aka reaching the regulatory fingers of the Privacy Act into activities or organisation in other countries;
  • powers to penalise organisations for failing to provide information when investigating a complaint; and
  • powers to share information with other regulators and enforcement bodies.

Information gathering for the NDB Scheme

When notifying the OAIC of a notifiable data breach, organisations must be more specific about what particular kinds of information were affected.

The OAIC may also request information from organisations that the OAIC considers to be relevant to an actual or suspected eligible data breach.

What we’re missing

Many of the key reforms recommended in 2017 have not been included at this time. Reforms that were included in the consultation of the Privacy Act Review but that are not included in this Privacy Bill include:

  • changing the definition of personal information.
  • Removing the employee records and small business exemptions.
  • Creating a direct cause of action for individuals to take privacy matters directly to court.
  • Strengthening consent requirements, and addressing privacy and consent for minors.

Strengthening children’s rights to privacy is currently a global trend. There are many elements of the consultation which are not included, some of which are much greater, wholesale reforms that will change the scope and application of privacy law. We discussed these further in a previous article.

For now, it is a “watch this space” message.

What it means for not-for profit and education organisations

This is not the end of the privacy story. There will be more reform to come.

Amendments that may specifically concern not-for profit and education organisations include:

  1. The clarification that the OAIC can publish determinations on its website. This means there is a stronger “name and shame” culture around privacy determinations which may affect not-for profit and education organisations who highly value their reputation and image in the public sphere.
  2. Similarly, there are additional requirements for organisations to publish notices on their websites about privacy breaches or determinations. Again, this may impact reputation and brand which can be particularly important for charities who rely on trust from the public.
  3. The eSafety Commissioner will be included in the Privacy Act 1988 (Cth) as an alternative complaint body, so the OAIC can transfer complaints to the eSafety Commissioner when privacy complaints overlap with cyberbullying, cyber abuse or image-based abuse – factors over which the eSafety Commissioner has jurisdiction. This follows the trend in the last five years of increasing the eSafety Commissioner’s powers. The ability for complaints to be referred to the eSafety Commissioner is relevant for organisations who work online, with individuals who may be subject to image-based abuse or cyberbullying such as teenagers. With referral powers, there may be an increase in complaints in both realms; privacy and eSafety.

How we can help

To respond to the proposed reforms, we can help you implement data breach response plans to minimise the impact of data breaches, help you report under the NDB Scheme, and be a helping hand through any privacy complaints you may receive.

To prepare for the next stage of reforms, organisations should consider building into their systems and software the ability to know where data is stored, how it is collected and who has access to it. This will equip you to pivot if (or when) the law changes, such as removing the employee records exemption. We can help with this change management through privacy audits and empowering you to conduct privacy impact assessments.

You can also register for our upcoming webinar, Data breach simulation: How to manage a data breach, to be presented on 17 November, here.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.