Crackdown on privacy breaches – increased penalties and enforcement

In the wake of recent high profile data breaches, the Federal Government introduced the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Cth) (Bill) on 26 October 2022. The Bill significantly increases maximum penalties under the Privacy Act 1998 (Cth) (Act), enhances the enforcement powers of the Office of the Australian Information Commissioner (OAIC) and broadens the extraterritorial application of the Act.

Increased penalties

The maximum penalty under the Privacy Act is currently $2.22 million for a body corporate or $444,000 for an individual. The Bill proposes a significant increase to these penalties. The proposed maximum penalty for a body corporate who seriously or repeatedly interferes with one or more person’s privacy is the greater of:

  • $50 million;
  • if the Court can determine the value of the benefit obtained from the interference – three times the value of that benefit; or
  • if the Court cannot determine the value of the benefit obtained – 30% of the sum of the value of all the supplies that the body corporate and any related body corporate made during the breach turnover period.

For an individual, the proposed maximum penalty is $2.5 million.

Enhanced enforcement powers

The Bill affords new powers to the OAIC to ensure compliance with the Act. Among these new powers, the OAIC will be able to require that a party who is subject to a complaint engage an independent adviser to investigate and review the party’s privacy practices. The independent adviser will provide a copy of their findings to the OAIC.

The OAIC will also have the power require a party to prepare and publish a public statement in consultation with the OAIC about conduct which has breached the Act. This is likely to increase the reputational implications for non-compliance.

Extraterritorial application

The Bill expands the extraterritorial application of the Act. If the Bill is passed, the Act will apply to all foreign organisations that carry on a business in Australia, removing the requirement that the organisation collect or hold information in Australia.

What you need to do

If you collect or hold any personal information, now is the time to review your privacy policy, practices and procedures. The potential financial penalties, reputational implications and the enhanced powers of the OAIC proposed by the Bill emphasise the importance of compliance with the Act. In addition to introducing the Bill to Parliament, the Government is also undertaking a comprehensive review of the Privacy Act generally which is due to be completed this year.  It is expected that the proposed amendments to the Act set out in the Bill will be just the beginning of broad privacy reforms in 2023.

More information

If you have any queries or would like further information about this article, please contact:

Kathryn Speed
M: 0408 446 013

Luke Phillips
T: (03) 6235 5184

Published: 17 November 2022

Copyright © 2023 Page Seager. Privacy Statement Privacy Policy Page Seager Commitments and Policies