What can be done to protect personal information? 10 min read
A number of high profile data breaches and cyber attacks have occurred over the last month—and more continue to come to light every day—leading many in the Government, media and community to ask what can be done to protect personal information?
The Government's immediate answer? Increase the penalties associated with serious breaches of the Privacy Act 1988 (Cth) (the Act) and provide the OAIC with enhanced enforcement and information gathering and sharing powers. The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Bill), introduced into Parliament on 26 October, does exactly that.
This is only the first tranche of proposed comprehensive privacy reforms—those the Government, and presumably the Office of the Australian Information Commissioner (OAIC), consider the most important (and possibly the least controversial). We will need to wait for the outcome of the Attorney-General's broader review of the Act to see what other changes are on the horizon.
Key takeaways
- If the Bill is passed in its current form, the maximum penalty for serious or repeated interferences with privacy for body corporates will increase from $2.2 million to the greater of $50 million, three times the value of the benefit obtained attributable to the breach or, if the court cannot determine the value of the benefit, 30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention.
- The OAIC will obtain enhanced information gathering powers, particularly in relation to data breaches, and will also be able to share information publicly if it is in the public interest to do so, and with a broader range of entities, including enforcement bodies (both in Australia and overseas), alternative complaint bodies and state and territory authorities.
- Organisations that carry on business in Australia will be captured by the Act, even if they do not collect or hold information in Australia. If the Bill is passed in its proposed form, this will have very significant unintended consequences.
- Although most of the changes are not entirely unexpected, the proposed new penalties are significant. They leapfrog the penalty increase touted by the previous Government since 2019, and mirror the recent increased penalties introduced for breaches of Australian Consumer Law (ACL). However, in light of the OAIC's historic reticence to pursue pecuniary penalties under the existing provisions and without a significant increase in funding, the OAIC's ability to seek these penalties for all but the most egregious breaches of the Act may be limited. So will the threat of such fines act as enough of a deterrent? Perhaps, although it could also have a chilling effect on organisations' disclosure of data breaches which may not strictly be required to be disclosed as part of the current regime.
Next steps
- The Bill has been referred to the Legal and Constitutional Affairs Legislation Committee, with its report due by 22 November 2022. Submissions are due by 7 November 2022. This timeframe may make it hard for the Bill to pass both Houses this year, and provides only limited time for submissions.
- In light of the increased community (and media) focus on organisations' privacy practices following the recent Optus and Medibank data breaches, we do not expect there to be significant opposition to the Bill in either House.
- The Bill is only the beginning of the slated changes to the Act. Broader amendments are still expected following the conclusion of the Attorney-General's review, which is due to be completed by the end of this year. We have previously reported on where that review may take us, which you can read here.
- Given the impending major privacy reforms and the ever-increasing risk of data breaches, it is now more important than ever to ensure organisations don't collect more data than required and don't keep it for longer than necessary. We provide a practical guide to implementing a robust data retention and destruction program in our recent Insight.
What are the impending changes?
1. Enhanced enforcement powers for the OAIC
Increase in penalties for serious or repeated interferences with privacy
The maximum penalty for serious or repeated interferences with privacy will increase to:
- for individuals, a cap of $2.5 million; and
- for bodies corporate, a cap of the greater of $50 million, three times the value of the benefit obtained attributable to the breach or, if the court cannot determine the value of the benefit, 30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention.
The definition of 'adjusted turnover' is similar to that introduced into the ACL and takes into account the sum of the values of all the supplies that the body corporate and any related body corporate have made or are likely to make during the period, with specified exceptions.
Critically, the 'breach turnover period' could be very long in some circumstances—particularly where an issue is unknown and has not been detected for some time. For example, an undetected security vulnerability (eg a legacy system that was supposed to have been decommissioned five years ago but was not) could result in a five-year turnover period. Similarly, retention of records long past their valid retention period (in breach of APP 11.2) could mean the turnover period runs for the period those records have been held past their appropriate destruction date.
Although the penalties are high, similar penalties were just introduced to the Australian Competition and Consumer Act in respect of breaches of the ACL. Whilst there was some consideration by the Parliamentary Joint Committee on Human Rights that such a high penalty for individuals ($2.5 million) may be regarded as 'criminal' for the purposes of international human rights law (and thus require the breach to be demonstrated to the criminal standard of proof of beyond reasonable doubt) we do not expect this to further hold up the passing of the Bill.1
The Federal Court may also provide compensation to individuals if a civil penalty order has been made for a breach of section 13G (serious or repeated interferences with privacy)—previously a breach of section 13G was excluded. This leaves organisations facing both compensation payments and significant penalties for breach.
Interestingly, the actual contravention in s13G remains the same—penalties can be applied where there has been a serious interference with the privacy of an individual or where an organisation repeatedly does an act, or engages in a practice, that is an interference with the privacy of one or more individuals. This leaves open the vexed issue of whether the penalty sum for a serious interference could apply on a multiplier basis, depending on the number of impacted individuals. It also leaves the question open as to what constitutes either a 'serious' or 'repeated' interference. Without statutory intervention, these issues will remain up to the court to determine in the current Facebook proceedings, or potentially as part of the broader Act reforms.
It is important to remember that the increased penalty regime does not apply to all data breaches. Just because an organisation has suffered a data breach does not mean it has not complied with the Act. In the case of APP11.1, it remains the case that the organisation must have failed to take reasonable steps in the circumstances to secure personal information, in order for there to be a breach of APP 11.1.
Expands the OAIC's declaration-making powers
The Act enables the OAIC to make declarations following the conclusion of an investigation (whether Commissioner-initiated or following a complaint). The Bill broadens the potential scope of determinations the OAIC can make, including permitting the OAIC to make declarations that require the organisation to:
- prepare and publish or otherwise communicate a statement about the conduct; and
- engage, in consultation with the OAIC, a suitably qualified independent advisor to review the practices that were the subject of the investigation, steps taken to remediate the breach and any other matter relevant to the investigation, and provide a copy of the review to the OAIC.
The Bill also permits the OAIC to publish the determination on its website.
In practice, these changes reflect existing practices of the OAIC—the OAIC has already made declarations requiring organisations to appoint independent reviewers as part of making determinations following OAIC investigations—and has consistently published determinations on its website. These changes appear to close what the OAIC may see as a 'gap' in its legislative ability to undertake some of its existing enforcement practices.
Infringement notices for failure to provide information as required
The Bill will enable the OAIC to issue an infringement notice for failures to provide information as required by the Act. This shifts the current criminal offence to a civil penalty, allowing the OAIC to deal with minor instances of non-compliance without relying on criminal prosecution (or going to court).
As discussed above, we expect the infringement notice regime to be expanded in the forthcoming reforms to also apply to other breaches. The lack of a broader infringement power has been a key differentiator between the OAIC and other regulators (like the Australian Communications and Media Authority (ACMA) and the ACCC) and has left the OAIC to pursue enforceable undertakings, determinations or pecuniary penalty proceedings in the Federal Court (a very resource-intensive process).
2. Expanded information gathering and sharing powers for the OAIC
A key theme of the remaining changes to the Act are tweaks enabling the OAIC to have broader (and better) oversight over organisations' procedures for handling data breaches and their activities when suffering a breach. This seems to 'close the gap' on a number of pain points for the OAIC in its response and handling of recent high profile breaches by Optus and Medibank. These include:
- the power to conduct assessments of organisations' compliance with the Notifiable Data Breaches Scheme under the Act (NDB Scheme);
- the right to require information in relation to an actual or suspected eligible data breach; and
- the right to share information with other enforcement bodies and with the public.
We explain these further below.
The Bill gives the OAIC the power to conduct an assessment of an organisation on its ability to comply with the NDB Scheme, including the extent to which it has processes and procedures in place to assess suspected eligible data breaches and provide notice of eligible data breaches.
Again, this appears to close a gap in the OAIC's existing assessment powers—enabling the OAIC to pre-emptively test an organisation's compliance with the NDB Scheme.
The OAIC would also be able to require organisations to provide it with information, or answer questions, in relation to an actual or suspected eligible data breach—including an organisation's compliance with the NDB Scheme.
This appears to suggest the OAIC's existing powers under s 42 (preliminary inquiries), s 40(2) (commissioner-initiated investigations) and s 44 (power to obtain information relevant to an investigation) are not sufficient to enable the OAIC to make these types of requests.
It is likely the OAIC considers it important to be able to request information relating to a data breach outside of an obligation (or intention) to undertake an investigation—instead the OAIC may seek information to aid an organisation in complying with its obligations, or to enable the OAIC to respond to government and community questions.
The Government has also taken the opportunity to specify that a statement prepared by an organisation in response to an eligible data breach must identify the particular kinds of information the subject of the breach, rather than just the kinds of information. This potentially indicates that the OAIC has not been comfortable with the level of detail provided by organisations to date in response to eligible data breaches.
The OAIC would also have enhanced information-sharing powers for information gathered through the Commissioner's information commissioner functions, freedom of information functions and privacy functions.
The Bill provides the OAIC with the power to disclose information or documents with:
- an enforcement body;
- an alternative complaint body; and
- a state, territory or foreign regulator that has functions to protect the privacy of individuals.
The explicit information-sharing powers regarding foreign regulators continues the OAIC's focus on greater collaboration with equivalent foreign regulators given the increasing prevalence of cross-border data flows.
3. Extraterritorial application of the Act
The Bill will remove the requirement that an organisation has to collect or hold personal information in Australia in order for the Act to apply to that organisation. If the Bill is passed as proposed, there will be very significant unintended consequences of this change.
This proposed change is not new. It has already been proposed in the exposure draft of the Online Privacy Bill and in the Attorney-General's Act review, and follows various disputes over the extraterritorial application of the Act in the OAIC's current proceedings against Facebook, the entities of which are established overseas—a case that may set a precedent for similar multinational organisations. We provide an in-depth analysis of the proceedings in our Insight.
The intention of the change is to ensure that organisations which carry on business in Australia, but do not themselves directly collect or hold personal information in Australia, can nonetheless be caught by the Act. An example of this might be where a particular offshore entity which has business operations in Australia only handles personal information by virtue of it receiving that personal information from another group entity also located outside of Australia.
However, this would – on its face value – have a very broad effect. For example, it could result in related foreign companies of Australian organisations which provide services (for example back office services) to Australian group companies being caught directly by the Act.
Even more broadly, it would also result in the Act applying to all acts done or practices engaged in by overseas entities which carry on business in Australia, irrespective of whether the acts or practices relate to individuals located in Australia. In other words, a global organisation would be required to comply with the Act in respect of its entire global operations, including in relation to individuals located in other jurisdictions.
This would create a far broader scope of extra-territorial application than under legislation in other jurisdictions, including the GDPR, CCPA and PIPL in China.
We consider that the Bill must be amended so that the relevant personal information has some direct link to Australia. For example, the EU GDPR applies extraterritorially outside the EU, but only in relation to personal data of data subjects in the EU and only when certain activities are involved. A similar limitation should be added to the Bill to ensure that the obligations apply only to personal information of individuals located in Australia.
4. Ancillary changes
Finally, the Bill also expands ACMA's existing rights to disclose information to specified federal agencies (like the ACCC and APRA) to any non-corporate federal entity if that information enables the authority to perform its functions.
The amendments to the Australian Competition and Media Authority Act 2005 are intended to enable ACMA to undertake greater information sharing and cooperation between government agencies—and although the rationale is to improve and aid responsiveness to cyber threats and data breaches, the information-sharing provisions are not limited to those areas.