New privacy law sees tougher penalties

New privacy law sees tougher penalties

For more information

New privacy law sees tougher penalties and enforcement powers for serious and repeated privacy breaches.

Recent high-profile and large-scale data breaches involving Optus, Medibank Private, MyDeal and others have resulted in the personal information about millions of Australians being compromised. These data breaches may have direct and long-lasting impacts, including financial harm through identity theft or fraud, psychological harm and reputational harm.

This has highlighted the need for more effective safeguards and privacy controls used by organisations. The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 has been introduced to help address this problem and to push businesses to do better when it comes to their privacy, security, and information handling practices.

The recent Optus data breach has been singled out as the largest data breach in Australia’s history due to the sheer number of affected Australians and the extensive kinds of personal information involved. With nearly 10 million affected Australian customers, Optus has advised that the data breach may have exposed its ‘customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s licence or passport numbers’, as well as Medicare card numbers for a subset of customers.

Major changes

The most major change is the maximum penalty for serious or repeated interferences with the privacy of an individual, which has dramatically increased to reflect the seriousness of privacy compliance and cybersecurity. The amended penalties are:

  • For a person other than a body corporate, $2.5 million (increased from $444,000)
  • For a body corporate, the greater of $50 million, 3 times the value of benefits obtained or attributable to the breach (if quantifiable in court), or 30% of the corporations adjusted turnover in the relevant period (increased from $2.2 million).

The Amendment Act also grants expanded regulatory powers to the OAIC to allow them to better oversee organisation’s procedures for handling data breaches. The OAIC can now:

  • Issue infringement notices for minor instances of non-compliance without relying on criminal prosecution.
  • Require entities to undertake an independent review of practices that are subject to complaints and review the steps taken.
  • Conduct assessments of an entity’s compliance with the Notifiable Data Breaches Scheme even if a data breach has not occurred.
  • Obtain and share information or documentation regarding a breach with the public or enforcement bodies, if deemed in their interest.

The regulations outlined in the Amendment Act apply to all organisations that trade in Australia, not just those that collect or hold private information. The Amendment Act tightens restrictions for overseas companies, by removing the Australian Link requirement under the Australian Privacy Principles. This has made it difficult for overseas companies to avoid complying with Australian privacy laws, simply by being based overseas.

Make sure you are not exposed

To ensure your customers do not experience the costs associated with data leaks, all companies need to have up-to-date data and privacy policies and procedures.

This involves reviewing processes involved in the collection, storage, processing, sharing and destruction of information and data. It is also important that you conduct an audit of all data and controls to ensure all associated third-party risks are being managed effectively. Specifically, it is important to consider:

  • Obtaining cyber insurance
  • Your level of exposure for legislative breaches, if not insured.

More information

The information provided in this article is of a general nature only and has been prepared without taking into account your individual objectives, financial situation or needs. If you require advice that is tailored to your specific business or individual circumstances, please contact HDL.  

HDL news, updates and publications may contain links to non-HDL websites that are created and controlled by other organisations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by HDL, as we have no responsibility for information referenced in material owned and controlled by other parties. HDL strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources.

Find this article helpful? Click on one of the links below to share the content.