Key points
- The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 increases penalties for serious or repeated interferences with privacy under the Privacy Act 1988.
- The Bill falls short of amending the ‘serious or repeated interference with privacy’ threshold that triggers the civil penalty provision in section 13G of the Privacy Act, as proposed by submitters to the Privacy Act review.
- For the increased penalty regime to have a real and sufficient deterrent effect, it will need to be matched by further reforms to the Privacy Act and adequate funding for the under‑resourced Office of the Australian Information Commissioner.
- The Bill provides the Australian Information Commissioner with greater enforcement and information sharing powers under the Privacy Act and the Australian Information Commissioner Act 2010.
- Stakeholders, especially entities covered by the Privacy Act, have expressed concerns about the proposed enforcement and information sharing powers of the Commissioner.
Introductory Info
Date introduced: 26 October 2022
House: House of Representatives
Portfolio: Attorney-General
Commencement: The day after Royal Assent
The Bills Digest at a glance
Purpose
The purpose of the Privacy
Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Bill)
is to:
Background
Recent data breaches, especially the Optus data breach,
affecting numerous Australians have prompted a series of immediate actions by
the Australian Government, including the introduction of the Bill.
The Bill is a result of the Australian Government
expediting some aspects of the ongoing Privacy
Act review conducted by the Attorney-General’s Department. The Bill
also includes provisions similar to various elements of the Exposure Draft of
the Privacy
Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021
(Online Privacy Bill Exposure Draft) released for discussion and consultation
by the previous Government.
Key issues
and provisions
- The
Bill increases the maximum civil penalty for serious or repeated interferences
with privacy from the current $2.22 million to an amount that is the greater of
$50 million, three times the value of any benefit obtained from the conduct
constituting the serious or repeated interference with privacy, or 30% of an
entity’s adjusted turnover in the relevant period.
- The
Bill falls short of amending the ‘serious or repeated interference with privacy’
threshold that triggers the civil penalty provision in section 13G of the Privacy
Act, as proposed by submitters
to the Privacy Act review.
- For
the increased penalty regime to have a real and sufficient deterrent effect, it
cannot rely solely on the perceived deterrent effect of the penalty quantum. It
will need to be matched by further reforms to the broader enforcement framework
for interferences with privacy under the Privacy Act. The Office of the
Australian Information Commissioner’s (OAIC)
privacy functions relevant to proactive investigation and enforcement activity
will also need to be adequately resourced.
- The
Bill lowers the threshold for a foreign organisation to be covered by the Privacy
Act.
- The
Bill provides enhanced enforcement and information sharing powers for the Commissioner
and the OAIC, which may attract opposition from regulated entities who have
expressed concerns on largely similar amendments in the Online Privacy Bill Exposure
Draft.
Purpose of
the Bill
The purpose of the Privacy
Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Bill)
is to:
Background
Recent data
breaches
September–October 2022 saw various high-profile and
large-scale data breaches affecting Australia. Data breaches involving Optus,
Medibank Private, MyDeal and others have resulted in the personal information
about millions of Australians being compromised. These data breaches may have
direct and long-lasting impacts on affected Australians, including financial
harm through identity theft or fraud, psychological harm and reputational harm.
The recent Optus data breach has been singled out as the largest
data breach in Australia’s history due to the sheer number of affected
Australians and the extensive kinds of personal information involved.[2]
With nearly 10 million affected Australian customers,[3]
Optus has advised that the data breach may have exposed its ‘customers’ names,
dates of birth, phone numbers, email addresses, and, for a subset of customers,
addresses, ID document numbers such as driver’s licence or passport numbers’,
as well as Medicare card numbers for a subset of customers.[4]
The Optus data breach has prompted a series of immediate actions
by the Australian Government, including:
Privacy Act
review
In light of the Optus data breach, Attorney-General Mark
Dreyfus has criticised the ‘very outdated piece of legislation in the Privacy
Act’ and undertaken to have the ongoing
review of the Privacy Act finalised by his department by the end of
2022.[7]
In December 2019, the Morrison Government announced that it
would conduct a review of the Privacy Act as part of its response to the
Australian Competition and Consumer Commission’s (ACCC) Digital
Platforms Inquiry.[8]
The Privacy Act review was opened for public consultation and
submissions on its issues paper
published in October 2020 and discussion paper
published in October 2021.
The review covers areas including:
- the
scope and application of the Privacy Act
- whether
the Privacy Act effectively protects personal information and provides a
practical and proportionate framework for promoting good privacy practices
- whether
individuals should have direct rights of action to enforce privacy obligations
under the Privacy Act
- whether
a statutory tort for serious invasions of privacy should be introduced into
Australian law
- the
impact of the Notifiable
Data Breaches (NDB) scheme and its effectiveness in meeting its objectives
- the
effectiveness of enforcement powers and mechanisms under the Privacy Act
and how they interact with other Commonwealth regulatory frameworks
- the
desirability and feasibility of an independent certification scheme to monitor
and demonstrate compliance with Australian privacy laws.[9]
Despite the progress of the review, on 12 October 2022,
Attorney-General Mark Dreyfus stated that the Government was considering
expediting ‘some urgent reforms that [they] can make quickly to the Privacy
Act’ in response to the Optus data breach. The result of this expedition is the
present Bill. According to the Attorney-General, the Bill is ‘in addition to’
the Privacy Act review ‘with recommendations expected for further reform’.[10]
Online
Privacy Bill Exposure Draft
The Morrison Government also announced a parallel reform separate
to the Privacy Act review – the proposed introduction of the Privacy
Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021
(Online Privacy Bill). The Online Privacy Bill aimed to address the pressing
privacy challenges posed by social media and other online platforms.
In October 2021, the Attorney-General’s Department (AGD)
released an Exposure
Draft of, an explanatory
paper to and a regulatory
impact statement on the Online Privacy Bill for public consultation (which
was closed in December 2021). However, the Online Privacy Bill was never
formally introduced by the Morrison Government during the 46th Parliament. This
Bill contains various elements of the Online Privacy Bill, as discussed below.
Committee
consideration
Senate
Legal and Constitutional Affairs Committee
The Bill has been referred to the Senate
Legal and Constitutional Affairs Committee for inquiry and report by 22
November 2022.
Senate
Standing Committee for the Scrutiny of Bills
At the time of writing, the Senate Standing Committee for
the Scrutiny of Bills had not reported on the Bill.
Policy
position of non-government parties/independents
The Australian Greens described the Bill as ‘a step
forward’ but expressed its concern that ‘[i]t’s not much use beefing up the
Information Commissioner’s powers if they don’t get matching funding so they
can actually use those powers.’[11]
At the time of writing, other non-government parties and the
independents do not appear to have commented publicly on the Bill.
Position of
major interest groups
Major interest groups, especially entities covered by the Privacy
Act, have previously provided submissions on the Online Privacy Bill Exposure
Draft, which, as already noted, contained some amendments that are equivalent
to those in the present Bill. The proposed amendments relating to the
Commissioner’s enforcement and information gathering powers in the Exposure Draft
were met with opposition from some of those entities, as discussed below.
Financial
implications
The Explanatory Memorandum to the Bill states that the
Bill may increase Commonwealth revenue due to increased penalties, depending on
the number and quantum of successful civil penalty orders sought by the
Commissioner.[12]
Statement of Compatibility with Human Rights
As required under Part 3 of the Human Rights
(Parliamentary Scrutiny) Act 2011, the Government has assessed the
Bill’s compatibility with the human rights and freedoms recognised or declared
in the international instruments listed in section 3 of that Act. The
Government considers that the Bill is compatible.[13]
Parliamentary
Joint Committee on Human Rights
At the time of writing, the
Parliamentary Joint Committee on Human Rights has not reported on the Bill.
Key issues and
provisions
Increased
penalties for serious and repeated interferences with privacy
Currently section 13G of the Privacy Act gives rise
to a civil penalty if:
- an
entity does an act, or engages in a practice, that is a serious
interference with the privacy of an individual
- an
entity repeatedly does an act, or engages in a practice, that is
an interference with the privacy of one or more individuals.
Item 14 of the Bill inserts proposed subsection
13G(3) into the Privacy Act to set out the penalty for a serious or
repeated interference with privacy by a body corporate. This increases the maximum
civil penalty from 10,000 penalty units, which currently equate to $2.22
million,[14]
to an amount that is the greater of:
- $50
million (proposed paragraph 13G(3)(a))
- 3
times the value of the benefit the body corporate and any related body
corporate obtained from the conduct constituting the serious or repeated
interference with privacy if the court can determine this value (proposed paragraph
13G(3)(b))
- 30%
of the adjusted turnover of the body corporate during the breach
turnover period for the contravention if the court cannot determine the
value of the benefit under paragraph 13G(3)(b) (proposed paragraph 13G(3)(c)).[15]
Proposed subsection 13G(2) of the Privacy Act
sets out the penalty for a serious or repeated interference with privacy by a person
other than a body corporate (such as a sole trader or a partnership). This
increases the penalty from a maximum of 2,000 penalty units, which currently
equate to $444,000, to a maximum of $2.5 million.
The ‘serious
or repeated interference with privacy’ threshold
An ‘interference with privacy’ is defined in section
13 of the Privacy Act, and is a breach of the Privacy Act or
of a privacy-related provision in certain other legislation. However, the
phrases ‘serious interference with privacy’ and ‘repeated interference with
privacy’ are not defined in the Privacy Act and there have been no
decided cases under this provision. At the time of introduction of these terms,
the relevant Explanatory Memorandum stated that the ordinary meaning of the
terms ‘serious’ and ‘repeated’ would apply.[16]
The Bill does not propose any change to this threshold.
In its Guide to privacy regulatory action, which is
merely an administrative guidance, the OAIC states that the question of whether
an interference with privacy is serious is an objective one that will reflect the
opinion of a reasonable person.[17]
It provides a list of factors that it considers ‘are relevant in considering
whether a particular interference with privacy is serious’:
- the
number of individuals potentially affected
- whether
it involved ‘sensitive information’ or other information of a sensitive nature
- whether
significant adverse consequences were caused or are likely to be caused to one
or more individuals from the interference
- whether
vulnerable or disadvantaged people may have been or may be particularly
adversely affected or targeted
- whether
it involved deliberate or reckless conduct
- whether
senior or experienced personnel were responsible for the conduct.[18]
The OAIC also administratively defines ‘repeated
interference with privacy’ to mean that an entity has interfered with the
privacy of an individual or individuals on two or more separate occasions,
which could arise from:
- the
same act or practice done on two or more occasions
- different
acts or practices done on two or more occasions.[19]
A proposal in the ongoing Privacy Act review is to
clarify what constitutes a ‘serious’ or ‘repeated’ interference with privacy. In
its October 2021 Privacy Act review – discussion paper, AGD acknowledges
that there could be a benefit in more clearly identifying the type of conduct
captured by the ‘serious or repeated interference with privacy’, which is that
it would increase clarity for the OAIC, APP entities (regulated by the Privacy
Act) and the courts.[20]
In its submission to the Privacy Act review –
discussion paper, the OAIC supports the proposal to clarify the phrase, but
recommends removing the ‘repeated’ threshold. This is because the OAIC
considers that ‘a repeated act or practice that interferes with the privacy of
individuals would fall within the natural meaning of a “serious” privacy
incident, rather than existing as a separate legal construct’.[21]
Nevertheless, the OAIC indicates that it supports the proposal to clarify the ‘serious
or repeated interference with privacy’ threshold only if its preferred
recommendation of repealing the threshold altogether, as discussed below, is
not adopted.[22]
It is unclear if the Government has made a conscious
decision against clarifying those terms in the Bill or decided to defer
settling on this proposed amendment issue when the ongoing review of the Privacy
Act is completed. Either way, the Bill appears a missed opportunity for
those terms to be afforded the legislative clarity that it is said to need.
Comparison
with other existing or proposed penalty regimes
The proposed maximum penalties in this Bill are identical
to those proposed under the Australian Consumer Law (ACL) in the Treasury
Laws Amendment (More Competition, Better Prices) Bill 2022, which had passed
both Houses by 27 October 2022.[23]
In this way, the Government has adopted Recommendation 16(f) in the ACCC’s July
2019 Digital Platforms Inquiry – final report that the maximum penalties
for serious or repeated interferences of privacy under the Privacy Act be
increased to mirror the penalties for breaches of the ACL to achieve effective
deterrence.[24]
The proposed maximum penalties in the Bill exceed what was
proposed in the Online Privacy Bill Exposure Draft for privacy breaches by social
media services, data brokerage services and large online platforms: $10 million,
three times the value of any benefit obtained from the conduct constituting the
serious or repeated interference with privacy, 10% of an entity’s annual
Australian turnover.[25]
In terms of comparisons with equivalent legislation in
overseas jurisdictions, the proposed maximum penalty of $50 million in the Bill
is significantly higher than the maximum penalty of $20 million EURO
(approximately $31 million AUD) under the European Union General Data
Protection Regulation (GDPR).[26]
However, the proposed penalty of 30% of a body corporate’s annual Australian
turnover in the Bill may not be directly comparable with the penalty of 4% of
an entity’s global annual turnover under the GDPR.
How would the
strengthened penalty regime protect Australians’ information privacy?
Before introducing the Bill, Attorney-General Mark Dreyfus
pointed out that the reputational harm suffered by entities from data breaches
‘clearly isn’t enough’.[27]
In his second reading speech on the Bill, he was unequivocal that tougher
penalties were intended to have deterrent effects to incentivise entities to
have stronger safeguards to protect Australians’ personal information:
… This bill sends a clear message that the Albanese
government takes privacy, security and data protection seriously.
As the Optus, Medibank and MyDeal cyberattacks have recently
highlighted, data breaches have the potential to cause serious financial and emotional
harm to Australians, and this is unacceptable.
Governments, businesses and other organisations have an
obligation to protect Australians’ personal data, not to treat it as a
commercial asset. The law must reflect this.
…
Increased penalties …
Setting these penalties at a higher level will accord with
Australian community expectations about the importance of protecting their
personal data.
Further, penalties for privacy breaches cannot be seen as
simply the cost of doing business. Entities must be incentivised to have strong
cyber and data security safeguards in place to protect Australians …[28]
Emphasis on
the consequences of data breaches
The stated purpose of the increased penalty regime focuses
on the consequences for an entity’s failure to protect personal information it
holds from unauthorised access, as regulated by Australian
Privacy Principle (APP) 11.1 of Schedule 1 to the Privacy Act.[29]
It would unlikely address the root-cause issues of potential over-collection
of personal information (APP 3) at one of the earliest stages of the information
lifecycle and of data
retention (APP 11.2). The Optus data breach has raised a question about
whether it is reasonably necessary for a telecommunication company to collect information
relating to a customer’s identification documents into its record after their
identity has been verified. It has also raised the issue of whether a
telecommunication company needs to retain or destroy a customer’s personal
information once it is no longer needed for the purpose for which it was
collected (for example, in the case of former customers).
These issues point to the data minimisation principle
advocated by Australia’s privacy regulators and ombudsmen that ‘the collection
of personal information … should always be limited to the minimum information
reasonably necessary to achieve a legitimate purpose’.[30]
An obvious benefit of data minimisation is that the fewer data are collected,
the fewer data will be subject to unauthorised access in the event of a data
breach. However, an entity’s efforts to actualise this ideal privacy practice are
often limited by their statutory obligations to collect and retain personal
information for national security and crime prevention reasons.
For example, the Telecommunications (Interception and Access) Act 1979 requires a telecommunication company to collect
and retain various kinds of personal information about a customer, including their
contact information and ‘information for identification purposes’ – even beyond
their time as a customer.[31]
Such a legislative requirement absolves the company of its normal obligation
under APP 11.2 to take reasonable steps to destroy or de-identify the
customer’s relevant personal information that it no longer needs for any
purpose for which the personal information may be used or disclosed under the
APPs.[32]
Therefore, the increased penalty regime may be seen as a
band-aid solution that would not directly address the root-cause issues of
over-collection and data retention underlying the Optus data breach. These
issues will likely persist without appropriate reforms to relevant data
retention legislation in addition to imminent reforms to the Privacy Act,
including the proposed introduction of a right to erasure of personal
information.[33]
Any reforms to relevant data retention legislation will need to involve striking
a delicate balance between safeguarding Australia’s national security and protecting
Australians’ information privacy.
Deterrent
effect of the increased penalties
The Government appears hopeful that the quantum of the
increased penalties will have a general deterrent effect for entities that have
obligations to protect Australians’ personal information from data breaches under
the Privacy Act. However, the OAIC’s very limited track record of using
the existing penalty regime as a regulatory tool to date may cast doubt on
whether the intended deterrent effect can be achieved. Since section
13G of the Privacy Act (the civil penalty provision for serious or
repeated interferences with privacy) commenced in March 2014,[34]
the OAIC’s litigation
against Facebook Inc and Facebook Ireland currently before the Federal
Court of Australia (which concerns the Facebook–Cambridge Analytica data scandal
that occurred in the 2010s) is the first and only instance of civil penalty proceedings
by the OAIC.
Indeed, the current process of having a civil penalty
order imposed on an entity can be lengthy and complex. The Commissioner does
not have power under the Privacy Act to directly impose a penalty on a
regulated entity. Rather, it must apply to the Federal Court of Australia or the
Federal Circuit and Family Court of Australia for a civil penalty order against
an entity for a serious or repeated interference with privacy.[35]
The OAIC has expressed criticism of the current provision, arguing that the
‘serious’ and ‘repeated’ thresholds in section 13G – which the Commissioner must
demonstrate before civil penalty orders can be made by the courts – are ‘unnecessary’
because:
these factors are more appropriate considerations after
breach has been established when the Federal Court determines civil penalties
using well-established legal principles. The nature and extent of any
contravention is also explicitly required for consideration under s 82(6) of
the Regulatory Powers (Standard Provisions) Act 2014 (Cth) (Regulatory
Powers Act) when determining pecuniary penalties. Requiring the Commissioner to
adduce evidence of these matters to demonstrate a breach of s 13G creates
unnecessary duplication which may not be an efficient use of public resources
…
[Section 13G] imposes legal concepts of seriousness and
repeated conduct that distract from the proper focus on whether the Privacy Act
itself has been breached. These concepts are more appropriately addressed after
a breach has been established when determining pecuniary penalties.[36]
In response to the Privacy Act review – discussion
paper, the OAIC recommended that section 13G (and, therefore, the ‘serious’
and ‘repeated’ thresholds) be repealed and a single civil penalty provision for
any interferences with privacy (rather than only the serious and repeated ones)
be introduced to create a simpler civil penalty framework.[37]
It also recommended the creation of a series of low-level civil penalty
provisions under certain APPs for administrative breaches of the APPs with
attached infringement notice powers for the Commissioner.[38]
Further, the OAIC’s longstanding resourcing constraints amid
its growing workloads may have also contributed to its very limited track
record of using the existing civil penalty regime as a regulatory tool.[39]
As acknowledged by the OAIC, the contemporary approach to regulation expected
by Australians is that government regulators use the full range of compliance
and enforcement tools available in the law.[40]
The OAIC’s FOI disclosure log indicates that following the 2022 Federal Election
in June 2022, Angelene Falk, Australian Information Commissioner and Privacy
Commissioner, provided Attorney-General Mark Dreyfus a brief titled Overview
of OAIC strategic priorities.[41]
In the brief, before noting the ‘[s]ignificant funding pressure’ faced by her
office, Commissioner Falk, stated:
The complexity of personal information flows in the digital
economy and the significant information asymmetry between digital platforms and
individuals necessitates less reliance on the traditional individual complaint-based
mechanisms for addressing privacy risks and harms, requiring increased
proactive investigation and enforcement activity … The changed enforcement
posture and focus on global, digital and significant privacy risks and harms is
more expensive than the traditional complaint-handling dispute resolution
approach of the office …[42]
However, any shift in the OAIC’s regulatory posture from
its historical focus on resolving privacy complaints to more use of regulatory
‘sticks’ would also need to be reflected in future funding arrangements for the
national privacy regulator. In the Budget October 2022–23, the OAIC has
been allocated $5.5 million over 2 years from 2022–23 to support its response
to the Optus incident.[43]
In the Budget March 2022–23, the OAIC was allocated $8.71 million in
2022–23 and $8.24 million in 2023–24 to process privacy complaints and enhance
its capacity to take regulatory action for breaches of privacy, such as
litigation against social media platforms. These funding allocations from March
2022 have also been confirmed.[44]
However, it remains to be seen whether these budget measures will be adequate
to meet the OAIC’s existing workload and the expanding scope of the OAIC’s jurisdiction
proposed by the Bill and envisaged in the ongoing Privacy Act review.
Therefore, for the increased penalty regime to have a real
and sufficient deterrent effect, it cannot rely solely on the perceived
deterrent effect of the penalty quantum. The increased penalty regime will need
to be matched by further reforms to the broader enforcement framework for
interferences with privacy under the Privacy Act. The OAIC’s privacy
functions relevant to proactive investigation and enforcement activity, as
enhanced by the greater enforcement powers proposed in the Bill, will also need
to be adequately resourced for the OAIC to be an agile regulator taken
seriously by the regulated.
Enhanced
enforcement powers for the OAIC
Currently, the Privacy Act has extra-territorial
reach to any foreign organisation that has an ‘Australian link’, which is
enlivened by satisfying two criteria:
- The
organisation carries on business in Australia or an external Territory (existing
paragraph 5B(3)(b)).
- The
organisation collected or held personal information in Australia or an external
Territory, either before or at the time of the act or practice (existing paragraph
5B(3)(c)).
Item 10 of the Bill repeals existing paragraph
5B(3)(c), which would leave ‘carrying on business’ in existing paragraph
5B(3)(b) effectively the only requirement for a foreign organisation to
have an Australian link.
The Explanatory Memorandum to the Bill provides the
rationale behind this proposed amendment:
- Currently, foreign organisations must meet
obligations under the Privacy Act if the entity has an Australian link. A
foreign organisation will have an Australian link if the organisation or
operator carries on business in Australia and collects or holds information
from a source inside Australia. However, when a breach of the Privacy Act
occurs, it may be difficult to establish that these foreign organisations
collect or hold personal information from a source in Australia. For example,
foreign organisations may collect personal information about Australians but do
not collect Australians’ information directly from Australia, and instead
collect the information from a digital platform that does not have servers in
Australia and may therefore not be considered ‘in Australia’.
- The purpose of this item is to update the provision
to reflect that in the digital era, organisations can use technology such that
they do not collect or store information directly from Australia. However,
these organisations will often still otherwise be carrying on a business in
Australia, and should be required to meet the obligations under the Privacy
Act.
- This mirrors similar provisions in the Australian
Consumer Law (ACL). Subsection 5(1) of the Competition and Consumer Act 2010
extends the application of the relevant ACL provisions to conduct by Australian
incorporated bodies or those carrying on business in Australia, and Australian
citizens or people ordinarily resident within Australia.[45]
Further, the second reading speech on the Bill provides
that this proposed amendment aims ‘[t]o ensure Australia’s privacy laws remain
fit for purpose in a globalised world and to ensure the Privacy Act can be
enforced against global technology companies who may process Australians’
information on servers offshore’.[46]
The proposed amendment may have come amid the OAIC’s
ongoing litigation against Facebook Inc and Facebook Ireland before the Federal
Court of Australia, which has raised issues about the extra-territorial
provisions of the Privacy Act. One of these issues concerns whether Facebook
Inc was collecting or holding in Australia the personal information that is the
subject of the claim. The Full Court of the Federal Court of Australia upheld
the primary judge’s conclusion (which had been disputed by Facebook Inc) that an
inference was open that Facebook Inc collected relevant personal information in
Australia by means of cookies which it installed on the devices of Australian
users.[47]
This proposed amendment is identical to an amendment in
the Online Privacy Bill Exposure Draft.[48]
Given its own legal battles in relation to the extra-territoriality of the Privacy
Act, it is relevant to note Meta’s (formerly Facebook Inc) concerns about
the proposed lower threshold of the ‘Australian link’ test (in response to the
Online Privacy Bill Exposure Draft):
… [T]he proposed change to the “Australian link” test means
that any foreign corporation that carries on business in Australia will be
bound to comply with the Australian Privacy Act even in relation to personal
information that they collect from individuals who are not in Australia.
For example, if a US corporation carries on business in
Australia through providing services to Australian end users, then the updated
“Australian link” test would mean that the Privacy Act would also apply to that
corporation’s handling of information about users in the US or in any other
jurisdiction where that corporation makes its services available. This appears
to be an unintentional consequence of the proposed drafting changes. In
principle, we see no reason for Australian laws to seek to regulate management
of personal information that has no direct connection with Australia or with
Australians.[49]
Law firm, Herbert Smith Freehills, also observed that as
‘a (presumably unintentional) consequence of the proposed drafting change’, the
reduced threshold in the present Bill could be interpreted as that:
foreign companies carrying on business in Australia would be
subject to the Act even in respect of their activities that do not relate to
their business in Australia, or to Australian individuals. We note that the
EU’s General Data Protection Regulation includes extra-territoriality tests
based on individuals in the EU, and the California Consumer Privacy Act
includes a test based on Californian residents.[50]
In its submission to the Online Privacy Bill Exposure
Draft, Communications Alliance noted a similar concern but suggested that:
If the concern is that an organisation may indirectly collect
or hold information that is derived from another source within Australia that
directly collects or holds the information, section 5B could be amended to
bring such indirect collection and holding within the definition. Otherwise,
the change would create broad, uncertain and unconstrained extraterritoriality
that is not consistent with good legislative practice and comity between
national laws.[51]
Strengthened
Notifiable Data Breaches scheme
More
detailed notification to the Commissioner
Under the NDB scheme of Part IIIC of the Privacy Act,
any organisation or agency covered by that Act must notify the OAIC and take
reasonable steps to notify affected individuals when a data breach is likely to
result in serious harm to the affected individuals (which is known as an
‘eligible data breach’).
If an entity is aware that there are reasonable grounds to
believe that there has been an eligible data breach of the entity, one of its
notification obligations under the NDB scheme is to prepare a statement for the
Commissioner under section
26WK of the Privacy Act (before notifying the contents of this
statement to affected individuals under section
26WL). One of the pieces of information that must be included in that
statement is ‘the kind or kinds of information concerned’ in the eligible data
breach (paragraph 26WK(3)(c)).
Item 17 of the Bill amends paragraph 26WK(3)(c)
of the Privacy Act such that a reporting entity must include information
about the particular kind(s) of personal information involved in an
eligible data breach, as opposed to just the kind(s) of personal information.
In practice, this may mean, for example, instead of notifying
that ‘contact information’ has been involved in an eligible data breach (which
is one of the ‘categories’ of personal information in the OAIC’s online Notifiable
data breach form), the reporting entity must state the specific kinds
of contact information (which may be, for example, home address, phone number
or email address).
The Explanatory Memorandum to the Bill states that this proposed
amendment:
… is necessary to ensure the Commissioner has a comprehensive
knowledge of the information compromised in an eligible data breach in order to
assess the particular risk of harm to individuals, and whether the
recommendations about the steps that individuals should take in response to the
eligible data breach outlined in a notification are sufficient.[52]
This proposed amendment would ultimately benefit affected
individuals, as a reporting entity also has an obligation to take reasonable
steps to notify the contents of the section 26WK statement (which has been provided
to the Commissioner) to the affected individuals under section 26WL.
New information
gathering powers relating to eligible data breaches
Currently, information available to the Commissioner and their
office about an eligible data breach under the NDB scheme is limited to
information that an entity voluntarily discloses in its section 26WK statement.
To obtain more detailed information about the data breach, the Commissioner or their
delegates may make preliminary inquiries to the entity or a third party under subsection 42(2)
of the Privacy Act. However, there appears to be no obligations for the
entity or the third party to respond to or cooperate with those preliminary
inquiries. It is only after the Commissioner has opened a formal investigation
against the entity under subsection
40(2) that the Commissioner’s information gathering power under subsection
44(1) may be enlivened.
Proposed section 26WU of the Bill (inserted by item
18 of the Bill) addresses this gap. It provides the Commissioner with a
power to require a person or an entity by written notice to give information,
produce a document or answer questions of kind specified in the notice (proposed
subsection 26WU(3)) if the Commissioner has reason to believe that they
have information or documents, or can answer questions, that are relevant to
either or both of the following matters (the relevant matters):
- an
actual or suspected eligible data breach of an entity (proposed paragraph
26WU(1)(a))
- an
entity’s compliance with the requirements in Part IIIC, Division 3 (proposed
paragraph 26WU(1)(b)).
Proposed subsection 26WU(2) provides a non-exhaustive
list of factors that the Commissioner may consider to be the relevant
matters.
Proposed subsection 26WU(4) provides that in a subsection
26WU(3) notice, the Commissioner must state the place and time which the
information, document or answers must be provided.
Proposed subsection 26WU(5) outlines how the
Commissioner may or must handle documents produced in response to the subsection
26WU(3) notice.
Proposed subsection 26WU(6) provides that the
Commissioner must not exercise their power under proposed section 26WU
where the Attorney-General has furnished to the Commissioner a certificate
under section
70 certifying that the giving to the Commissioner of information concerning
a specified matter, or the production to the Commissioner of a specified
document or other record, would be contrary to the public interest.
Proposed subsection 26WU(7) ensures that a person
or entity is not liable to a penalty under the provisions of any other
Commonwealth law because they have given information, produced a document or
answered a question to comply with a subsection 26WU(3) notice.
New powers to conduct assessments on compliance
with the NBD scheme
Under section 33C of the Privacy Act, the
Commissioner currently has a power to conduct an assessment of an entity’s
compliance relating to various
aspects of the Act, even in the absence of a breach of the Act or a privacy
complaint having been made.[53]
However, the Commissioner does not have a power to assess an entity’s
compliance with the NDB scheme.
Proposed subparagraph 33C(1)(ca) (inserted by item
21 of the Bill) addresses this gap and provides the Commissioner a new
power to conduct an assessment of an entity’s ability to comply with the NDB
scheme in Part IIIC of the Privacy Act. This proposed amendment has
adopted a similar amendment in the Online Privacy Bill Exposure Draft.[54]
Proposed paragraphs 33C(3)–(8) (inserted by item
22 of the Bill) provides information gathering powers and limitations on
those powers similar to those in proposed sections 26WU discussed above.
New
infringement notice powers to penalise failure to provide information
Item 38 of the Bill repeals the criminal penalty in
existing subsection 66(1) of the Privacy Act and substitutes it
with a civil penalty for a basic contravention which arises where a person is
required to give information, answer a question, or produce a document or
record under the Act, and refuses or fails to do so (for example, under proposed
subsection 26WU(3), proposed paragraph 33C(3) or existing subsection
44(1) discussed above). The penalty is 60 penalty units for a person and
300 penalty units for a body corporate.
Item 44 of the Bill inserts proposed section
80UB. This allows the Commissioner or an SES employee of the OAIC (or
equivalent) as an ‘infringement officer’ (pursuant to Part 5 of the Regulatory Powers
(Standard Provisions) Act 2014) to issue an infringement notice instead
of seeking a civil penalty for contraventions of proposed subsection 66(1).
The Explanatory Memorandum to the Bill posits that:
… Infringement notices will provide the Commissioner with a
timely, cost-efficient enforcement outcome in relation to minor contraventions
of section 66. The infringement notice provision will provide an alternative to
litigation of a civil matter. This will enable the Commissioner to resolve
privacy complaints and investigations more efficiently.[55]
Further, item 39 of the Bill inserts proposed
subsection 66(1AA) to the Privacy Act. This creates a new offence
for a corporation of engaging in conduct that constitutes a system of conduct
or a pattern of behaviour that results in two or more contraventions of proposed
subsection 66(1). This would enable the OAIC to refer matters to the
Commonwealth Director of Public Prosecutions for more serious and systemic
conduct of failing to provide information.[56]
However, items 40 and 41 of the Bill amend subsection 66(1B) of the Privacy
Act so that proposed subsection 66(1AA) is subject to the
‘reasonable excuse’ safeguard in existing subsection 66(1B).
These proposed new infringement notice powers to penalise
failure to provide information also adopt similar amendments in the Online
Privacy Bill Exposure Draft.[57]
Enhanced information
sharing powers for the Commissioner
Power to
share information with authorities
Proposed section 33A of the Privacy Act (inserted
by item 20 of the Bill) provides the Commissioner the power to share
information or documents with a receiving body for the purpose of
the Commissioner or the receiving body exercising powers, or performing
functions or duties (proposed subsection 33A(1)). The Explanatory
Memorandum states that proposed section 33A is an authorisation by law for the
purposes of APP 6.2(b).
Proposed subsection 33A(2) states that a receiving
body may be:
- an
enforcement body (as defined in subsection
6(1))
- an
alternative complaint body (as defined in subsection
50(1))
- a state
or territory authority (as defined in subsection
6C(1)) or an authority of the government of a foreign country that has
privacy functions.
Proposed subsection 33A(3) provides that the
Commissioner may only share information or documents with a receiving body if:
- the
information or documents were acquired by the Commissioner in the course of
exercising powers, or performing functions or duties under the Privacy Act
and
- the
Commissioner is satisfied on reasonable grounds that the receiving body has
satisfactory arrangements in place for protecting the information or documents.
Proposed subsection 33A(4) provides that if the
Commissioner acquired the information or documents from an Australian
Government agency (as defined in subsection
6(1)), the Commissioner may only share the information or documents with a
receiving body that is also an Australian Government agency (and not a state or
territory authority, or foreign body).
Proposed subsection 33A(5) provides that a
receiving body may only use the information for the purposes for which it was
shared.
Proposed subsection 33A(6) clarifies that the
Commissioner is not required to transfer a complaint or part of a complaint to
share information or documents with a receiving body.
These proposed amendments are in similar terms to those in
the Online Privacy Bill Exposure Draft, although the present Bill inserts an
additional safeguard that a receiving body may only use the information for the
purposes for which it was shared (proposed subsection 33A(5)).[58]
In response to the Online Privacy Bill Exposure Draft (but
not the present Bill), the Law Council of Australia raised concern that the
Commissioner’s new information sharing power under proposed subsection
33A(1) of that Bill (which is identical to proposed subsection 33A(1) of
the present Bill) may be too broad when used in conjunction with:
- the
Commissioner’s current power under existing
section 33C of the Privacy Act to assess an entity’s compliance with
certain parts of the Act in the absence of any breach of the Act or any complaint
having been made
- the
Commissioner’s new information gathering power to issue a notice to produce
information or a document relevant to an assessment under proposed paragraph 33C(3)
of the Privacy Act (in the Online Privacy Bill).[59]
The Law Council of Australia’s concern appears to be
centred on the prospect that information or documents which an entity is
compelled to produce to the Information Commissioner (when exercising a compulsory
information-gathering power) could then be disclosed by the Information
Commissioner under proposed subsection 33A(1) of the Online Privacy Bill Exposure
Draft (which is identical to proposed subsection 33A(1) of the present
Bill) to a receiving body – even without the entity’s knowledge or consent, or
having to consult the entity.
Further, it is unclear how the safeguard in proposed
subsection 33A(5) of the present Bill, which requires that ‘a receiving
body may only use the information for the purposes for which it was shared’
would have any practical significance in relation to a receiving body that is ‘an
authority of the government of a foreign country that has privacy functions’ (proposed
subparagraph 33A(2)(c)). For example, the Commissioner might be ‘satisfised
on reasonable grounds’ that a foreign privacy regulator ‘has satisfactory
arrangements in place for protecting the information or documents’ shared’ (proposed
subparagraph 33A(3)(b)) before sharing the information or documents.
However, once the information or documents is/are shared, the ‘safeguard’ in proposed
subsection 33A(5) may not be operative if the foreign privacy regulator then
proceeds to disclose or is compelled to disclose the information or documents
to other government or law enforcement bodies in its jurisdiction for any secondary
purposes (under the laws of its own jurisdiction or otherwise).
Powers to
disclose certain information if in the public interest
Proposed subsection 33B(1) sets out the
Commissioner’s power to disclose certain information acquired in the course of
the Commissioner exercising powers or performing functions or duties under the Privacy
Act if the Commissioner is satisfied the disclosure is in the public
interest. The Explanatory Memorandum to the Bill provides that:
The purpose of subsection 33B(1) is to empower the
Commissioner to disclose or publish information relating to privacy and
personal information, for example information about an ongoing investigation on
the OAIC’s website. This will ensure Australians are informed about privacy
issues and to reassure the community that the OAIC is discharging its duties.
Section 33B is an authorisation by law for the purposes of APP 6.2(b).
Proposed paragraph 33B(2)(a) sets out a list of
public interest considerations that the Commissioner must consider before
exercising their discretion under proposed subsection 33B(1):
- the
rights and interests of any complainant or respondent
- whether
the disclosure will or is likely to prejudice any investigation the
Commissioner is undertaking
- whether
the disclosure will or is likely to disclose the personal information of any
person
- whether
the disclosure will or is likely to disclose any confidential commercial
information
- whether
the Commissioner reasonably believes that the disclosure would be likely to
prejudice one or more enforcement related activities conducted by or on behalf
of an enforcement body.
Proposed paragraph 33B(2)(b) sets out that the
Commissioner may also have regard to any other matter the Commissioner
considers relevant when determining if a disclosure is in the public interest.
Proposed subsection 33B(3) clarifies that section
33B does not limit the Commissioner’s other powers under the Privacy Act
or any other Commonwealth laws to disclose information.
These proposed amendments adopt similar amendments in the
Online Privacy Bill Exposure Draft, although that Bill proposes a general
prohibition (with a few exceptions) on the Commissioner disclosing information
about an eligible data breach.[60]
However, that prohibition is not contained in the present Bill, which is likely
a result of the recent high-profile data breaches. As the Explanatory
Memorandum notes:
The purpose of subsection 33B(1) is to empower the
Commissioner to disclose or publish information relating to privacy and
personal information, for example information about an ongoing investigation on
the OAIC’s website. This will ensure Australians are informed about privacy
issues and to reassure the community that the OAIC is discharging its duties.[61]
The Commissioner’s proposed power to publish information
about privacy issues or data breaches would likely be met with opposition from
the regulated entity for reasons related to reputation and confidentiality. Speaking
from the perspective as an entity that may be covered the Privacy Act in
response to similar amendments in the Online Privacy Bill Exposure Draft, Meta noted:
We suggest that before exercising the right to share
information in the public interest, the Information Commissioner should consult
with any potentially affected parties and allow them to make submissions as to
why all or some of the information should not be disclosed and to seek review
of the Information Commissioner’s decision if necessary. Without this type of
protection it will be much harder for regulated entities to be comfortable
sharing information with the Information Commissioner on a voluntary basis, as
there would be a heightened underlying risk of that information being shared
outside an entity’s control.[62]
Both the Business Council of Australia and the Communications
Alliance expressed concerns that information published by the Commissioner
might include information supplied by regulated entities that is contestable in
terms of accuracy, completeness or relevance. They recommended the similar
proposed subsection 33B in the Online Privacy Bill Exposure Draft be
amended to include a requirement for prior consultation with the person or
entity that provided the relevant information or to whom the information
relates, among other things.[63]
Enhanced determination
powers for the Commissioner
Under the Privacy Act, the Commissioner has the
power to make a determination after investigating a complaint, to dismiss the complaint
or find that the complaint is substantiated (existing
subsection 52(1)), or after conducting an investigation on the Commissioner’s
own initiative (existing subsection 52(1A)).
Proposed subparagraph 52(1)(b)(iia) (inserted by item
29 of the Bill) sets out that after investigating a complaint, the
Commissioner may find the complaint substantiated and make a determination that
includes a declaration that the respondent must prepare and publish, or otherwise
communicate, a statement about the conduct. The relevant requirements and
processes are set out in proposed section 52A (inserted by item 33 of
the Bill). Proposed paragraph 52(1A)(ba) (inserted by item 30 of
the Bill) provides a similar power for the Commissioner’s determinations on Commissioner-initiated
investigations.
Under existing subparagraph 52(1)(b)(ia) or existing
paragraph 52(1A)(b), the Commissioner may make a determination that includes a
declaration that a respondent must take specified steps within a specified
period to ensure conduct (in relation to complaints), or an act or practice (in
relation to Commissioner-initiated investigations) constituting an interference
with an individual’s privacy is not repeated or continued.
Proposed subsection 52(1AAA) (inserted by item 31
of the Bill) specifically allows the Commissioner to make a determination that
includes a requirement for the respondent to engage, in consultation with the
Commissioner, a suitably independent and qualified adviser to assist this
process. The adviser is to review the acts or practices engaged in by the
respondent that were the subject of the complaint, the steps (if any) taken by
the respondent to ensure that the conduct referred to in the determination is
not repeated or continued, and any other matter specified in the declaration
that is relevant to those acts or practices, or that complaint (proposed
paragraph 52(1AAA)(a)). It appears this amendment formalises the legal
basis for a practice that the Commissioner has already used in some of her
recent determinations.[64]
These proposed amendments to the Commissioner’s
determinations powers adopt similar amendments in the Online Privacy Bill Exposure
Draft.[65]