7 – Regulation and enforcement

Privacy Act reforms: further consultation on the A-G's Privacy Act review

Further to the development of the OP Code, the Online Privacy Bill also seeks to bolster the OAIC's regulatory and enforcement toolkit by granting it a suite of enhanced powers. These proposed changes, summarised below, are expected to be passed in advance of the review of the Privacy Act as they reflect already announced Government changes to penalties, and complement the operation of the OP Code.

Categories	Powers granted to the OAIC under the Online Privacy Bill
Civil penalties	For a body corporate, the maximum penalty will increase to an amount not exceeding the greater of: $10,000,000; three times the value of the benefit obtained by the body corporate from the conduct constituting the serious and repeated interference with privacy; or if the value cannot be determined, 10% of their domestic annual turnover.¹
Criminal penalties	Repeated non-compliance is a criminal offence and may incur a penalty of 12 months' imprisonment, 20 penalty units or both.²
Power to issue infringement notices	The OAIC can issue infringement notices if an organisation does not provide information or produce a document that is relevant to the investigation.³ Practically, this enables the OAIC to resolve non-compliance more efficiently as it does not need to resort to prosecution of a criminal offence or litigation of a civil matter.
Power to make determinations	The OAIC's determination-making power will also include the ability to: require an organisation to engage an independent and suitably qualified advisor to assist in ensuring conduct that interferes with privacy is not repeated⁴; and require an organisation to prepare a statement about the conduct that led to the interference with privacy and steps taken to remediate the contravention. The organisation may also be required to make the statement public.⁵
Information-gathering power to conduct assessments of any kind	The OAIC can issue a notice to produce information or document relevant to an assessment of any kind.⁶ This power is subject to several safeguards, including: a notice can only be issued to the entity subject to the assessment; and the Commissioner must be satisfied that issuing a notice is reasonable, having regard to the public interest and other factors.⁷
Greater information sharing	The OAIC can share information or documents with the following bodies: a law enforcement body; an alternative complaint body (including the eSafety Commissioner); and state, territory or foreign privacy regulators.⁸
Greater powers to disclose	The OAIC will have the ability to confirm whether the OAIC has received notice of an eligible data breach, and disclose information regarding assessment reports, determinations made under s52 of the Privacy Act and enforceable undertakings without needing to meet a public interest test.⁹ The OAIC still needs to meet the public interest test for other permissible disclosures under the Act.

The OAIC has said publicly that it is taking 'an ongoing pivot into a stronger enforcement stance', and with a strengthened enforcement and regulatory arsenal, we are likely to see it taking more proactive regulatory enforcement action against organisations for breaches of the Privacy Act.

The Discussion Paper also proposes a number of additional regulatory and enforcement powers in conjunction with those provided for in the Online Privacy Bill (see above). The improved enforcement and regulatory tools proposed to be given to the OAIC suggest the Government intends to imbue a greater compliance culture in Australian business in respect of privacy law, namely through creating a greater deterrence factor for breaches.

Tiered categories of civil penalties

The Discussion Paper proposes the creation of two additional categories of civil penalties:

a 'mid-tier' civil penalty provision to cover any interference with privacy. This would have a smaller maximum penalty than is provided for breaches of s13G; and
a number of 'low-level' civil penalty provisions to cover certain administrative breaches of the APPs. These 'low-level' civil penalties would also be accompanied by the OAIC being granted the power to issue infringement notices in respect of these 'low-level' civil penalty provisions. Issuance of one of the infringement notices would provide individuals with the option to pay a fine in full as an alternative to prosecution for an offence or litigation of a civil matter in court.¹⁰ These would mirror powers already possessed by the ACMA and ACCC, and which have been long been considered to have been an important omission from the 2014 Privacy Act enforcement regime.

These new provisions would provide the OAIC with the ability to more easily seek pecuniary penalties for interferences with privacy and at a level that is less than the current civil penalty threshold set out in s13G of the Privacy Act, which requires interferences to be 'serious' or 'repeated'. The Discussion Paper also proposes that s13G is amended to provide greater certainty on the events captured by this threshold.

Adoption of these provisions would mean organisations could be subject to pecuniary penalties for any breach of the Privacy Act or privacy-related obligations in other federal legislation. This could denote a significant deviation in the manner in which contraventions of the Privacy Act are dealt with by the OAIC.

Enhanced investigatory and inquiry powers

The Discussion Paper proposes that the OAIC's investigation powers be amended to incorporate the investigatory powers listed in Part 3 of the Regulatory Powers (Standard Provisions) Act 2014 (Cth) (Regulatory Powers Act). If adopted, this would provide to the OAIC, in relation to the investigation of civil penalty investigations, additional powers to:

search premises for evidential material;
make copies of information and documents specified in a warrant;
operate electronic materials to determine whether the kinds of information and documents specified in a warrant are accessible; and
seize evidential material and other things (which would prevent the destruction of evidence).¹¹

The Discussion Paper also proposes that the OAIC should have the power to conduct public inquiries and reviews as directed by, or subject to, Ministerial approval. This framework would be modelled on the inquiry powers of the ACCC.

Determinations power to require proactive mitigation of damage

The Discussion Paper proposes that the OAIC be granted the power to issue, under its determination power, a declaration requiring organisations to identify, mitigate and redress actual or reasonably foreseeable loss or damage to affected individuals. Currently the OAIC may only mandate contravening entities redress loss or damage suffered by relevant individuals prior to the issuance of a determination.¹²

If implemented, businesses would have to be proactive following a breach to identify and take reasonable steps to also mitigate reasonably foreseeable consequences of a breach. The Discussion Paper has asked for submissions as to whether the community considers this proposal to be a reasonable proposition.¹³ We think this measure will likely be implemented on the basis that business will be expected to have loss-mitigation measures in place.

OAIC as conciliator and regulator

The Discussion Paper noted that responses to the Issues Paper raised concerns in relation to the OAIC's role as conciliator and regulator — effectively impacting the OAIC's ability to carry out its functions and in turn reducing public confidence. The Discussion Paper proposes three alternative options to respond to these concerns, including encouraging greater recognition and use of External Dispute Resolution schemes, creating a Federal Privacy Ombudsman to conciliate complaints or establishing a Deputy Information Commissioner – Enforcement within the OAIC. At this stage, it remains unclear if there is a preferred option but we suspect that feedback will drive any changes to the OAIC's regulatory model.

Direct right of action

The Discussion Paper outlines a proposed model for a right for individuals to bring actions against organisations to seek compensatory damages, as well as aggravated and exemplary damages (in exceptional circumstances) for the financial and non-financial harm suffered as a result of an infringement of the Privacy Act (a Direct Right of Action).

The ‘gateway’ process (which is similar, for example, to the Australian Human Rights Commission’s model) would require complaints to go initially to the OAIC or other complaints-handling body to be assessed for conciliation by the OAIC, or require the complainant to seek leave of the court to commence civil penalty proceedings.

A key issue that remains open is the requisite harm threshold that the complainant would need to establish as part of a Direct Right of Action claim. The Discussion Paper calls for further submissions on this issue of the harm threshold in particular, along with the proposed 'Gateway' process to pursue a Direct Right of Action.

The Discussion Paper makes it evident that the Government is seriously considering the implementation of such a right. If implemented, this could greatly increase the litigious burden of entities as they may, in the future, be subject to individual, class action and OAIC actions in respect of alleged contraventions of the Privacy Act.

Statutory tort of privacy

The Discussion Paper leaves open the question of whether the introduction of a statutory tort is necessary, and outlines four potential models the development of the tort could take.

Given the absence of a preferred model and the range of complex issues already raised by successive law reform commission enquiries on this topic, we suspect it is possible this proposal will be delayed or shelved in the final proposals. This might particularly be the case if the Direct Right of Action is legislated, although media organisations will be particularly focused on the continued existence of the journalism exception if that is the case.

The Discussion Paper proposes to amend the Privacy Act to allow the OAIC to create an APP code on the direction or approval of the Attorney-General, and without first requesting an industry code developer, but only:

if it is in the public interest to do so and where it is unlikely that an appropriate industry representative would develop such a code (eg where a code is required to respond to a cross-industry issue); or
on a temporary basis, at the Attorney-General's direction or approval, but only where urgently required and, again, where it is in the public interest to do so.

This would allow for APP codes to be made in a more efficient manner, whilst still enabling consultation from affected industry. It remains to be seen what subject matter may be sufficient to justify the OAIC’s reliance on these new proposed powers, particularly where the Discussion Paper has acknowledged that the public interest includes a broad series of interests, including the interests of commercial entities in the context of the nation‘s economic wellbeing. The OAIC may instead choose to exercise its enhanced enforcement powers (described above) which, over time, may have the same effect of ‘codifying’ the OAIC’s guidance where this new power is not adopted or otherwise requires too high a threshold to be used in practice.

The Discussion Paper proposes that an industry funding model, similar to that for ASIC, be introduced, incorporating two different levies:

a cost recovery levy to help fund the OAIC’s provision of tailored guidance, advice and assessments, and
a statutory levy to fund the OAIC’s investigation and prosecution of entities which operate in a 'high privacy risk environment'. Relevant entities are said to potentially include 'social media platforms and entities which trade in personal information such as digital marketing businesses.'¹⁴

How these levies are ultimately structured should be a point of interest for Australian businesses. In particular, how the Government identifies entities operating in a 'high privacy risk environment' and the level of pecuniary burden these entities will be required to shoulder to float the OAIC might be an issue they wish to address in submissions in response to the Discussion Paper.

In response to a number of submissions highlighting concerns regarding the growing complexity of differing federal privacy obligations (such as under the Privacy Act, the Security of Critical Infrastructure Bill, CPS 234 and CDR) as well as between federal, state and territory laws (including those relating to health information), the Discussion Paper proposes that:

the Attorney-General’s Department develop a non-binding privacy law design guide to support consistency between federal agencies when developing new schemes with privacy-related obligations; and
a federal, state and territory working group be established to harmonise privacy laws, focusing on key issues.¹⁵

Additionally, the Discussion Paper calls for regulators to cooperate in addressing the mishandling of personal information, calling out the intersection between competition law, consumer law and privacy. The Discussion Paper, while acknowledging the intersection and growing complexity of various regimes, does not elaborate on how such cooperation should occur, and both proposals appear to be prospective and non-binding.

Footnotes

Online Privacy Bill, Schedule 2, s5.
Online Privacy Bill, Schedule 2, s23.
Online Privacy Bill, Schedule 2, s21.
Online Privacy Bill, Schedule 2, s11.
Online Privacy Bill, Schedule 2, s12.
Online Privacy Bill, Schedule 2, s8.
Online Privacy Bill, Schedule 2, s8.
Online Privacy Bill, Schedule 2, s5.
Online Privacy Bill, Schedule 2, s33B(2).
Discussion Paper, 174 – 175.
Discussion Paper, 178.
Discussion Paper, 179; Privacy Act ss 52(1)(b)(ii) and 52(1A)(c).
Discussion Paper, 179.
Discussion Paper, 180 – 181.
Discussion Paper, 207 - 217.

7 – Regulation and enforcement

Enhanced powers for the OAIC

Immediate changes under the Online Privacy Bill

Enhanced regulatory and enforcement powers on the horizon