The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 has been passed by both the houses of parliament and it will be soon passed as a law, following once it receives the Royal Assent. The bill has been the result of the various increasing data breaches which affected some of the big companies like Optus and Medibank.
The amendment has favoured the OAIC (Office of Australian Information Commissioner) role in protecting the individual’s privacy from the upcoming threats. The amendment will make the businesses to take privacy concerns seriously and take appropriate safeguards to protect the data. Some of the key changes are given below:
The amendment introduced increased fines and penalties, which is the most substantial change seen in the bill. The penalty for the serious and repeat offences (Section 13G) are increased, which if:
- By a person other than a body corporate is an amount not more than $2,500,000.
- By a body corporate, the greater of:
- AUD 50 million
- If the court can determine the value of the benefit obtained – three times the value of that benefit
- If the court cannot determine the value of the benefit obtained, then 30% of the body corporate’s adjusted turnover during the breach turnover period.
- The concept of “benefit”, “adjusted turnover” and “breach turnover period” will also be applied for calculation of the penalties to be imposed.
Businesses must put in place robust privacy standards and safeguards to avoid imposition of these penalties.
Enhanced powers for the Information Commissioner
With the amendment, the OIAC powers has also been increased. There are stronger investigatory and enforcement powers which provides flexibility in how the Commissioner can investigate the potential breaches or threats and is authorised to demand the appropriate information from the entities and can share the information with other regulators or disclose in public interest (Section 26WU). Some of the takeaways are given below:
- Power to obtain documents and information relating to the data breaches: If the commissioner believes that a person or entity has information or documents that are relevant where there is a suspect of data breach or requirement of the compliance.
- Power to issue notice for compliance: The Commissioner may give a written notice to the person or entity for providing the information, produce documents and answer questions as mentioned in the notice to the related matter.
- Person or entity will not be liable to a commonwealth law under this provision.
- Power to share with other regulators: Commissioner may share the acquired documents with other authorities which includes enforcement body, an alternative complaint body and a State or Territory authority, or an authority of the government of a foreign country, that has functions to protect the privacy of individuals (Section 33A).
- Sharing of the documents are only allowed for certain conditions. The sharing needs to be reasonable, necessary and proportionate in the exercise of the powers or performance of functions and duties of the Commissioner.
- Power to disclose in public interest: The commissioner may disclose the documents and the information in public interest in the course of exercising powers or performing functions or duties under the Privacy Act. There are various consideration to the same, while making the disclosures which includes that whether the confidential information and personal information will or is likely to get disclosed and the potential prejudicial impact on an investigation or enforcement related activities (Section 33B).
Engaging an independent advisor
The amendment empowers the Commissioner to get additional advisory from the external advisors regarding the determination of a threat or breach. If there is an interference with the privacy of the individuals, Commissioner may include a requirement for the respondent to engage a qualified independent advisor to assist and advise on remediation steps and other relevant matters at respondent’s cost. The advisor will provide the review to the commissioner and it may publish the determination on Commissioner’s website (Section 52(IA)).
Data Breach requirement
The amendments require businesses to include in their data breach notifications details of the particular kinds of information that are subject to the breach, purportedly to enable the Commissioner to make a more comprehensive assessment of the risk of harm to individuals and whether the business ‘ proposed response steps are sufficient.
Notifiable Data Breach
The amendments empower the Commissioner to:
- Conduct a pre-emptive assessment of a business’ data breach response protocols and processes
- give notices requiring the provision of specified kinds of information and/or documents, or the answering of questions, relating to actual or suspected eligible data breaches or a business’s compliance with the data breach policy
- take and copy documents, and keep them for any period necessary to assess the business compliance with the data breach policy publish information relating to such an assessment and determinations on the Commissioner’s website.
The Commissioner will also be able to require a business to give notifications directly to individuals or publicly of conduct that has been determined to constitute an interference with privacy of individual, and prove to the Commissioner that these notifications have been given.
The bill has increased the enforcement actions and fines for entities which are as follows:
- The person fails or refuses to provide information, answer questions or produce a document or record. This will attract a civil penalty of 60 penalty units.
- The person commits an offence in a system of conduct or pattern of behaviour resulting in multiple failures or refusals, will attract a criminal penalty of 300 penalty units.
Extra-territorial operation (Australian Link)
The bill makes it easier for the act to apply to overseas companies. The condition now states that the entities need to be carrying out business in Australia which is enough for OIAC to put the entity under the ambit of the act. Previously, there was a condition that an overseas entity collect or hold an individual’s personal information in Australia at or before the time of the alleged breach.
What you should do?
The bill ensures robust and enhances powers of OIAC and increased fines which means the entities or organisations need to comply and take appropriate privacy measures and risk mitigation strategy to ensure that the entities can avoid the risk. Some of the steps are given below:
- Ensure that entities have appropriate level of cyber insurance cover, with increased data breaches in Australia, the risk of damage is huge.
- Implementing the data breach incident reporting and responses. This ensures proper incident reporting and helps determining the potential threat or risks and makes OIAC tasks easier.
- Assess whether the policies and processes are compliant with the Privacy Act, and address any gaps, to avoid enforcement action.
Plan and consider whether data collection, use, disclosure, retention and other practices involving privacy risk are necessary and proportionate to the business need.