Bills Digest No. 30, 2022–23

Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022

Attorney General's

Author

Bernie Lai

Go to a section

Key points

  • The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 increases penalties for serious or repeated interferences with privacy under the Privacy Act 1988.
  • The Bill falls short of amending the ‘serious or repeated interference with privacy’ threshold that triggers the civil penalty provision in section 13G of the Privacy Act, as proposed by submitters to the Privacy Act review.
  • For the increased penalty regime to have a real and sufficient deterrent effect, it will need to be matched by further reforms to the Privacy Act and adequate funding for the under‑resourced Office of the Australian Information Commissioner.
  • The Bill provides the Australian Information Commissioner with greater enforcement and information sharing powers under the Privacy Act and the Australian Information Commissioner Act 2010.
  • Stakeholders, especially entities covered by the Privacy Act, have expressed concerns about the proposed enforcement and information sharing powers of the Commissioner.
Introductory Info Date introduced: 26 October 2022
House: House of Representatives
Portfolio: Attorney-General
Commencement: The day after Royal Assent

The Bills Digest at a glance

Purpose

The purpose of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Bill) is to:

Background

Recent data breaches, especially the Optus data breach, affecting numerous Australians have prompted a series of immediate actions by the Australian Government, including the introduction of the Bill.

The Bill is a result of the Australian Government expediting some aspects of the ongoing Privacy Act review conducted by the Attorney-General’s Department. The Bill also includes provisions similar to various elements of the Exposure Draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill Exposure Draft) released for discussion and consultation by the previous Government.

Key issues and provisions

  • The Bill increases the maximum civil penalty for serious or repeated interferences with privacy from the current $2.22 million to an amount that is the greater of $50 million, three times the value of any benefit obtained from the conduct constituting the serious or repeated interference with privacy, or 30% of an entity’s adjusted turnover in the relevant period.
  • The Bill falls short of amending the ‘serious or repeated interference with privacy’ threshold that triggers the civil penalty provision in section 13G of the Privacy Act, as proposed by submitters to the Privacy Act review.
  • For the increased penalty regime to have a real and sufficient deterrent effect, it cannot rely solely on the perceived deterrent effect of the penalty quantum. It will need to be matched by further reforms to the broader enforcement framework for interferences with privacy under the Privacy Act. The Office of the Australian Information Commissioner’s (OAIC) privacy functions relevant to proactive investigation and enforcement activity will also need to be adequately resourced.
  • The Bill lowers the threshold for a foreign organisation to be covered by the Privacy Act.
  • The Bill provides enhanced enforcement and information sharing powers for the Commissioner and the OAIC, which may attract opposition from regulated entities who have expressed concerns on largely similar amendments in the Online Privacy Bill Exposure Draft.

Purpose of the Bill

The purpose of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Bill) is to:

Background

Recent data breaches

September–October 2022 saw various high-profile and large-scale data breaches affecting Australia. Data breaches involving Optus, Medibank Private, MyDeal and others have resulted in the personal information about millions of Australians being compromised. These data breaches may have direct and long-lasting impacts on affected Australians, including financial harm through identity theft or fraud, psychological harm and reputational harm.

The recent Optus data breach has been singled out as the largest data breach in Australia’s history due to the sheer number of affected Australians and the extensive kinds of personal information involved.[2] With nearly 10 million affected Australian customers,[3] Optus has advised that the data breach may have exposed its ‘customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s licence or passport numbers’, as well as Medicare card numbers for a subset of customers.[4]

The Optus data breach has prompted a series of immediate actions by the Australian Government, including:

Privacy Act review

In light of the Optus data breach, Attorney-General Mark Dreyfus has criticised the ‘very outdated piece of legislation in the Privacy Act’ and undertaken to have the ongoing review of the Privacy Act finalised by his department by the end of 2022.[7]

In December 2019, the Morrison Government announced that it would conduct a review of the Privacy Act as part of its response to the Australian Competition and Consumer Commission’s (ACCC) Digital Platforms Inquiry.[8] The Privacy Act review was opened for public consultation and submissions on its issues paper published in October 2020 and discussion paper published in October 2021.

The review covers areas including:

  • the scope and application of the Privacy Act
  • whether the Privacy Act effectively protects personal information and provides a practical and proportionate framework for promoting good privacy practices
  • whether individuals should have direct rights of action to enforce privacy obligations under the Privacy Act
  • whether a statutory tort for serious invasions of privacy should be introduced into Australian law
  • the impact of the Notifiable Data Breaches (NDB) scheme and its effectiveness in meeting its objectives
  • the effectiveness of enforcement powers and mechanisms under the Privacy Act and how they interact with other Commonwealth regulatory frameworks
  • the desirability and feasibility of an independent certification scheme to monitor and demonstrate compliance with Australian privacy laws.[9]

Despite the progress of the review, on 12 October 2022, Attorney-General Mark Dreyfus stated that the Government was considering expediting ‘some urgent reforms that [they] can make quickly to the Privacy Act’ in response to the Optus data breach. The result of this expedition is the present Bill. According to the Attorney-General, the Bill is ‘in addition to’ the Privacy Act review ‘with recommendations expected for further reform’.[10]

Online Privacy Bill Exposure Draft

The Morrison Government also announced a parallel reform separate to the Privacy Act review – the proposed introduction of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill). The Online Privacy Bill aimed to address the pressing privacy challenges posed by social media and other online platforms.

In October 2021, the Attorney-General’s Department (AGD) released an Exposure Draft of, an explanatory paper to and a regulatory impact statement on the Online Privacy Bill for public consultation (which was closed in December 2021). However, the Online Privacy Bill was never formally introduced by the Morrison Government during the 46th Parliament. This Bill contains various elements of the Online Privacy Bill, as discussed below.

Committee consideration

Senate Legal and Constitutional Affairs Committee

The Bill has been referred to the Senate Legal and Constitutional Affairs Committee for inquiry and report by 22 November 2022.

Senate Standing Committee for the Scrutiny of Bills

At the time of writing, the Senate Standing Committee for the Scrutiny of Bills had not reported on the Bill.

Policy position of non-government parties/independents

The Australian Greens described the Bill as ‘a step forward’ but expressed its concern that ‘[i]t’s not much use beefing up the Information Commissioner’s powers if they don’t get matching funding so they can actually use those powers.’[11]

At the time of writing, other non-government parties and the independents do not appear to have commented publicly on the Bill.

Position of major interest groups

Major interest groups, especially entities covered by the Privacy Act, have previously provided submissions on the Online Privacy Bill Exposure Draft, which, as already noted, contained some amendments that are equivalent to those in the present Bill. The proposed amendments relating to the Commissioner’s enforcement and information gathering powers in the Exposure Draft were met with opposition from some of those entities, as discussed below.

Financial implications

The Explanatory Memorandum to the Bill states that the Bill may increase Commonwealth revenue due to increased penalties, depending on the number and quantum of successful civil penalty orders sought by the Commissioner.[12]

Statement of Compatibility with Human Rights

As required under Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011, the Government has assessed the Bill’s compatibility with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of that Act. The Government considers that the Bill is compatible.[13]

Parliamentary Joint Committee on Human Rights

At the time of writing, the Parliamentary Joint Committee on Human Rights has not reported on the Bill.

Key issues and provisions

Increased penalties for serious and repeated interferences with privacy

Currently section 13G of the Privacy Act gives rise to a civil penalty if:

  • an entity does an act, or engages in a practice, that is a serious interference with the privacy of an individual
  • an entity repeatedly does an act, or engages in a practice, that is an interference with the privacy of one or more individuals.

Item 14 of the Bill inserts proposed subsection 13G(3) into the Privacy Act to set out the penalty for a serious or repeated interference with privacy by a body corporate. This increases the maximum civil penalty from 10,000 penalty units, which currently equate to $2.22 million,[14] to an amount that is the greater of:

  • $50 million (proposed paragraph 13G(3)(a))
  • 3 times the value of the benefit the body corporate and any related body corporate obtained from the conduct constituting the serious or repeated interference with privacy if the court can determine this value (proposed paragraph 13G(3)(b))
  • 30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention if the court cannot determine the value of the benefit under paragraph 13G(3)(b) (proposed paragraph 13G(3)(c)).[15]

Proposed subsection 13G(2) of the Privacy Act sets out the penalty for a serious or repeated interference with privacy by a person other than a body corporate (such as a sole trader or a partnership). This increases the penalty from a maximum of 2,000 penalty units, which currently equate to $444,000, to a maximum of $2.5 million.

The ‘serious or repeated interference with privacy’ threshold

An ‘interference with privacy’ is defined in section 13 of the Privacy Act, and is a breach of the Privacy Act or of a privacy-related provision in certain other legislation. However, the phrases ‘serious interference with privacy’ and ‘repeated interference with privacy’ are not defined in the Privacy Act and there have been no decided cases under this provision. At the time of introduction of these terms, the relevant Explanatory Memorandum stated that the ordinary meaning of the terms ‘serious’ and ‘repeated’ would apply.[16] The Bill does not propose any change to this threshold.

In its Guide to privacy regulatory action, which is merely an administrative guidance, the OAIC states that the question of whether an interference with privacy is serious is an objective one that will reflect the opinion of a reasonable person.[17] It provides a list of factors that it considers ‘are relevant in considering whether a particular interference with privacy is serious’:

  • the number of individuals potentially affected
  • whether it involved ‘sensitive information’ or other information of a sensitive nature
  • whether significant adverse consequences were caused or are likely to be caused to one or more individuals from the interference
  • whether vulnerable or disadvantaged people may have been or may be particularly adversely affected or targeted
  • whether it involved deliberate or reckless conduct
  • whether senior or experienced personnel were responsible for the conduct.[18]

The OAIC also administratively defines ‘repeated interference with privacy’ to mean that an entity has interfered with the privacy of an individual or individuals on two or more separate occasions, which could arise from:

  • the same act or practice done on two or more occasions
  • different acts or practices done on two or more occasions.[19]

A proposal in the ongoing Privacy Act review is to clarify what constitutes a ‘serious’ or ‘repeated’ interference with privacy. In its October 2021 Privacy Act review – discussion paper, AGD acknowledges that there could be a benefit in more clearly identifying the type of conduct captured by the ‘serious or repeated interference with privacy’, which is that it would increase clarity for the OAIC, APP entities (regulated by the Privacy Act) and the courts.[20]

In its submission to the Privacy Act review – discussion paper, the OAIC supports the proposal to clarify the phrase, but recommends removing the ‘repeated’ threshold. This is because the OAIC considers that ‘a repeated act or practice that interferes with the privacy of individuals would fall within the natural meaning of a “serious” privacy incident, rather than existing as a separate legal construct’.[21] Nevertheless, the OAIC indicates that it supports the proposal to clarify the ‘serious or repeated interference with privacy’ threshold only if its preferred recommendation of repealing the threshold altogether, as discussed below, is not adopted.[22]

It is unclear if the Government has made a conscious decision against clarifying those terms in the Bill or decided to defer settling on this proposed amendment issue when the ongoing review of the Privacy Act is completed. Either way, the Bill appears a missed opportunity for those terms to be afforded the legislative clarity that it is said to need.

Comparison with other existing or proposed penalty regimes

The proposed maximum penalties in this Bill are identical to those proposed under the Australian Consumer Law (ACL) in the Treasury Laws Amendment (More Competition, Better Prices) Bill 2022, which had passed both Houses by 27 October 2022.[23] In this way, the Government has adopted Recommendation 16(f) in the ACCC’s July 2019 Digital Platforms Inquiry – final report that the maximum penalties for serious or repeated interferences of privacy under the Privacy Act be increased to mirror the penalties for breaches of the ACL to achieve effective deterrence.[24]

The proposed maximum penalties in the Bill exceed what was proposed in the Online Privacy Bill Exposure Draft for privacy breaches by social media services, data brokerage services and large online platforms: $10 million, three times the value of any benefit obtained from the conduct constituting the serious or repeated interference with privacy, 10% of an entity’s annual Australian turnover.[25]

In terms of comparisons with equivalent legislation in overseas jurisdictions, the proposed maximum penalty of $50 million in the Bill is significantly higher than the maximum penalty of $20 million EURO (approximately $31 million AUD) under the European Union General Data Protection Regulation (GDPR).[26] However, the proposed penalty of 30% of a body corporate’s annual Australian turnover in the Bill may not be directly comparable with the penalty of 4% of an entity’s global annual turnover under the GDPR.

How would the strengthened penalty regime protect Australians’ information privacy?

Before introducing the Bill, Attorney-General Mark Dreyfus pointed out that the reputational harm suffered by entities from data breaches ‘clearly isn’t enough’.[27] In his second reading speech on the Bill, he was unequivocal that tougher penalties were intended to have deterrent effects to incentivise entities to have stronger safeguards to protect Australians’ personal information:

… This bill sends a clear message that the Albanese government takes privacy, security and data protection seriously.

As the Optus, Medibank and MyDeal cyberattacks have recently highlighted, data breaches have the potential to cause serious financial and emotional harm to Australians, and this is unacceptable.

Governments, businesses and other organisations have an obligation to protect Australians’ personal data, not to treat it as a commercial asset. The law must reflect this.

Increased penalties

Setting these penalties at a higher level will accord with Australian community expectations about the importance of protecting their personal data.

Further, penalties for privacy breaches cannot be seen as simply the cost of doing business. Entities must be incentivised to have strong cyber and data security safeguards in place to protect Australians …[28]

Emphasis on the consequences of data breaches

The stated purpose of the increased penalty regime focuses on the consequences for an entity’s failure to protect personal information it holds from unauthorised access, as regulated by Australian Privacy Principle (APP) 11.1 of Schedule 1 to the Privacy Act.[29] It would unlikely address the root-cause issues of potential over-collection of personal information (APP 3) at one of the earliest stages of the information lifecycle and of data retention (APP 11.2). The Optus data breach has raised a question about whether it is reasonably necessary for a telecommunication company to collect information relating to a customer’s identification documents into its record after their identity has been verified. It has also raised the issue of whether a telecommunication company needs to retain or destroy a customer’s personal information once it is no longer needed for the purpose for which it was collected (for example, in the case of former customers).

These issues point to the data minimisation principle advocated by Australia’s privacy regulators and ombudsmen that ‘the collection of personal information … should always be limited to the minimum information reasonably necessary to achieve a legitimate purpose’.[30] An obvious benefit of data minimisation is that the fewer data are collected, the fewer data will be subject to unauthorised access in the event of a data breach. However, an entity’s efforts to actualise this ideal privacy practice are often limited by their statutory obligations to collect and retain personal information for national security and crime prevention reasons.

For example, the Telecommunications (Interception and Access) Act 1979 requires a telecommunication company to collect and retain various kinds of personal information about a customer, including their contact information and ‘information for identification purposes’ – even beyond their time as a customer.[31] Such a legislative requirement absolves the company of its normal obligation under APP 11.2 to take reasonable steps to destroy or de-identify the customer’s relevant personal information that it no longer needs for any purpose for which the personal information may be used or disclosed under the APPs.[32]

Therefore, the increased penalty regime may be seen as a band-aid solution that would not directly address the root-cause issues of over-collection and data retention underlying the Optus data breach. These issues will likely persist without appropriate reforms to relevant data retention legislation in addition to imminent reforms to the Privacy Act, including the proposed introduction of a right to erasure of personal information.[33] Any reforms to relevant data retention legislation will need to involve striking a delicate balance between safeguarding Australia’s national security and protecting Australians’ information privacy.

Deterrent effect of the increased penalties

The Government appears hopeful that the quantum of the increased penalties will have a general deterrent effect for entities that have obligations to protect Australians’ personal information from data breaches under the Privacy Act. However, the OAIC’s very limited track record of using the existing penalty regime as a regulatory tool to date may cast doubt on whether the intended deterrent effect can be achieved. Since section 13G of the Privacy Act (the civil penalty provision for serious or repeated interferences with privacy) commenced in March 2014,[34] the OAIC’s litigation against Facebook Inc and Facebook Ireland currently before the Federal Court of Australia (which concerns the Facebook–Cambridge Analytica data scandal that occurred in the 2010s) is the first and only instance of civil penalty proceedings by the OAIC.

Indeed, the current process of having a civil penalty order imposed on an entity can be lengthy and complex. The Commissioner does not have power under the Privacy Act to directly impose a penalty on a regulated entity. Rather, it must apply to the Federal Court of Australia or the Federal Circuit and Family Court of Australia for a civil penalty order against an entity for a serious or repeated interference with privacy.[35] The OAIC has expressed criticism of the current provision, arguing that the ‘serious’ and ‘repeated’ thresholds in section 13G – which the Commissioner must demonstrate before civil penalty orders can be made by the courts – are ‘unnecessary’ because:

these factors are more appropriate considerations after breach has been established when the Federal Court determines civil penalties using well-established legal principles. The nature and extent of any contravention is also explicitly required for consideration under s 82(6) of the Regulatory Powers (Standard Provisions) Act 2014 (Cth) (Regulatory Powers Act) when determining pecuniary penalties. Requiring the Commissioner to adduce evidence of these matters to demonstrate a breach of s 13G creates unnecessary duplication which may not be an efficient use of public resources

[Section 13G] imposes legal concepts of seriousness and repeated conduct that distract from the proper focus on whether the Privacy Act itself has been breached. These concepts are more appropriately addressed after a breach has been established when determining pecuniary penalties.[36]

In response to the Privacy Act review – discussion paper, the OAIC recommended that section 13G (and, therefore, the ‘serious’ and ‘repeated’ thresholds) be repealed and a single civil penalty provision for any interferences with privacy (rather than only the serious and repeated ones) be introduced to create a simpler civil penalty framework.[37] It also recommended the creation of a series of low-level civil penalty provisions under certain APPs for administrative breaches of the APPs with attached infringement notice powers for the Commissioner.[38]

Further, the OAIC’s longstanding resourcing constraints amid its growing workloads may have also contributed to its very limited track record of using the existing civil penalty regime as a regulatory tool.[39] As acknowledged by the OAIC, the contemporary approach to regulation expected by Australians is that government regulators use the full range of compliance and enforcement tools available in the law.[40] The OAIC’s FOI disclosure log indicates that following the 2022 Federal Election in June 2022, Angelene Falk, Australian Information Commissioner and Privacy Commissioner, provided Attorney-General Mark Dreyfus a brief titled Overview of OAIC strategic priorities.[41] In the brief, before noting the ‘[s]ignificant funding pressure’ faced by her office, Commissioner Falk, stated:

The complexity of personal information flows in the digital economy and the significant information asymmetry between digital platforms and individuals necessitates less reliance on the traditional individual complaint-based mechanisms for addressing privacy risks and harms, requiring increased proactive investigation and enforcement activity … The changed enforcement posture and focus on global, digital and significant privacy risks and harms is more expensive than the traditional complaint-handling dispute resolution approach of the office …[42]

However, any shift in the OAIC’s regulatory posture from its historical focus on resolving privacy complaints to more use of regulatory ‘sticks’ would also need to be reflected in future funding arrangements for the national privacy regulator. In the Budget October 2022–23, the OAIC has been allocated $5.5 million over 2 years from 2022–23 to support its response to the Optus incident.[43] In the Budget March 2022–23, the OAIC was allocated $8.71 million in 2022–23 and $8.24 million in 2023–24 to process privacy complaints and enhance its capacity to take regulatory action for breaches of privacy, such as litigation against social media platforms. These funding allocations from March 2022 have also been confirmed.[44] However, it remains to be seen whether these budget measures will be adequate to meet the OAIC’s existing workload and the expanding scope of the OAIC’s jurisdiction proposed by the Bill and envisaged in the ongoing Privacy Act review.

Therefore, for the increased penalty regime to have a real and sufficient deterrent effect, it cannot rely solely on the perceived deterrent effect of the penalty quantum. The increased penalty regime will need to be matched by further reforms to the broader enforcement framework for interferences with privacy under the Privacy Act. The OAIC’s privacy functions relevant to proactive investigation and enforcement activity, as enhanced by the greater enforcement powers proposed in the Bill, will also need to be adequately resourced for the OAIC to be an agile regulator taken seriously by the regulated.

Enhanced enforcement powers for the OAIC

Expanded extra-territorial jurisdiction of the Privacy Act

Currently, the Privacy Act has extra-territorial reach to any foreign organisation that has an ‘Australian link’, which is enlivened by satisfying two criteria:

  • The organisation carries on business in Australia or an external Territory (existing paragraph 5B(3)(b)).
  • The organisation collected or held personal information in Australia or an external Territory, either before or at the time of the act or practice (existing paragraph 5B(3)(c)).

Item 10 of the Bill repeals existing paragraph 5B(3)(c), which would leave ‘carrying on business’ in existing paragraph 5B(3)(b) effectively the only requirement for a foreign organisation to have an Australian link.

The Explanatory Memorandum to the Bill provides the rationale behind this proposed amendment:

  1. Currently, foreign organisations must meet obligations under the Privacy Act if the entity has an Australian link. A foreign organisation will have an Australian link if the organisation or operator carries on business in Australia and collects or holds information from a source inside Australia. However, when a breach of the Privacy Act occurs, it may be difficult to establish that these foreign organisations collect or hold personal information from a source in Australia. For example, foreign organisations may collect personal information about Australians but do not collect Australians’ information directly from Australia, and instead collect the information from a digital platform that does not have servers in Australia and may therefore not be considered ‘in Australia’.
  2. The purpose of this item is to update the provision to reflect that in the digital era, organisations can use technology such that they do not collect or store information directly from Australia. However, these organisations will often still otherwise be carrying on a business in Australia, and should be required to meet the obligations under the Privacy Act.
  3. This mirrors similar provisions in the Australian Consumer Law (ACL). Subsection 5(1) of the Competition and Consumer Act 2010 extends the application of the relevant ACL provisions to conduct by Australian incorporated bodies or those carrying on business in Australia, and Australian citizens or people ordinarily resident within Australia.[45]

Further, the second reading speech on the Bill provides that this proposed amendment aims ‘[t]o ensure Australia’s privacy laws remain fit for purpose in a globalised world and to ensure the Privacy Act can be enforced against global technology companies who may process Australians’ information on servers offshore’.[46]

The proposed amendment may have come amid the OAIC’s ongoing litigation against Facebook Inc and Facebook Ireland before the Federal Court of Australia, which has raised issues about the extra-territorial provisions of the Privacy Act. One of these issues concerns whether Facebook Inc was collecting or holding in Australia the personal information that is the subject of the claim. The Full Court of the Federal Court of Australia upheld the primary judge’s conclusion (which had been disputed by Facebook Inc) that an inference was open that Facebook Inc collected relevant personal information in Australia by means of cookies which it installed on the devices of Australian users.[47]

This proposed amendment is identical to an amendment in the Online Privacy Bill Exposure Draft.[48] Given its own legal battles in relation to the extra-territoriality of the Privacy Act, it is relevant to note Meta’s (formerly Facebook Inc) concerns about the proposed lower threshold of the ‘Australian link’ test (in response to the Online Privacy Bill Exposure Draft):

… [T]he proposed change to the “Australian link” test means that any foreign corporation that carries on business in Australia will be bound to comply with the Australian Privacy Act even in relation to personal information that they collect from individuals who are not in Australia.

For example, if a US corporation carries on business in Australia through providing services to Australian end users, then the updated “Australian link” test would mean that the Privacy Act would also apply to that corporation’s handling of information about users in the US or in any other jurisdiction where that corporation makes its services available. This appears to be an unintentional consequence of the proposed drafting changes. In principle, we see no reason for Australian laws to seek to regulate management of personal information that has no direct connection with Australia or with Australians.[49]

Law firm, Herbert Smith Freehills, also observed that as ‘a (presumably unintentional) consequence of the proposed drafting change’, the reduced threshold in the present Bill could be interpreted as that:

foreign companies carrying on business in Australia would be subject to the Act even in respect of their activities that do not relate to their business in Australia, or to Australian individuals. We note that the EU’s General Data Protection Regulation includes extra-territoriality tests based on individuals in the EU, and the California Consumer Privacy Act includes a test based on Californian residents.[50]

In its submission to the Online Privacy Bill Exposure Draft, Communications Alliance noted a similar concern but suggested that:

If the concern is that an organisation may indirectly collect or hold information that is derived from another source within Australia that directly collects or holds the information, section 5B could be amended to bring such indirect collection and holding within the definition. Otherwise, the change would create broad, uncertain and unconstrained extraterritoriality that is not consistent with good legislative practice and comity between national laws.[51]

Strengthened Notifiable Data Breaches scheme

More detailed notification to the Commissioner

Under the NDB scheme of Part IIIC of the Privacy Act, any organisation or agency covered by that Act must notify the OAIC and take reasonable steps to notify affected individuals when a data breach is likely to result in serious harm to the affected individuals (which is known as an ‘eligible data breach’).

If an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity, one of its notification obligations under the NDB scheme is to prepare a statement for the Commissioner under section 26WK of the Privacy Act (before notifying the contents of this statement to affected individuals under section 26WL). One of the pieces of information that must be included in that statement is ‘the kind or kinds of information concerned’ in the eligible data breach (paragraph 26WK(3)(c)).

Item 17 of the Bill amends paragraph 26WK(3)(c) of the Privacy Act such that a reporting entity must include information about the particular kind(s) of personal information involved in an eligible data breach, as opposed to just the kind(s) of personal information.

In practice, this may mean, for example, instead of notifying that ‘contact information’ has been involved in an eligible data breach (which is one of the ‘categories’ of personal information in the OAIC’s online Notifiable data breach form), the reporting entity must state the specific kinds of contact information (which may be, for example, home address, phone number or email address).

The Explanatory Memorandum to the Bill states that this proposed amendment:

… is necessary to ensure the Commissioner has a comprehensive knowledge of the information compromised in an eligible data breach in order to assess the particular risk of harm to individuals, and whether the recommendations about the steps that individuals should take in response to the eligible data breach outlined in a notification are sufficient.[52]

This proposed amendment would ultimately benefit affected individuals, as a reporting entity also has an obligation to take reasonable steps to notify the contents of the section 26WK statement (which has been provided to the Commissioner) to the affected individuals under section 26WL.

New information gathering powers relating to eligible data breaches

Currently, information available to the Commissioner and their office about an eligible data breach under the NDB scheme is limited to information that an entity voluntarily discloses in its section 26WK statement. To obtain more detailed information about the data breach, the Commissioner or their delegates may make preliminary inquiries to the entity or a third party under subsection 42(2) of the Privacy Act. However, there appears to be no obligations for the entity or the third party to respond to or cooperate with those preliminary inquiries. It is only after the Commissioner has opened a formal investigation against the entity under subsection 40(2) that the Commissioner’s information gathering power under subsection 44(1) may be enlivened.

Proposed section 26WU of the Bill (inserted by item 18 of the Bill) addresses this gap. It provides the Commissioner with a power to require a person or an entity by written notice to give information, produce a document or answer questions of kind specified in the notice (proposed subsection 26WU(3)) if the Commissioner has reason to believe that they have information or documents, or can answer questions, that are relevant to either or both of the following matters (the relevant matters):

  • an actual or suspected eligible data breach of an entity (proposed paragraph 26WU(1)(a))
  • an entity’s compliance with the requirements in Part IIIC, Division 3 (proposed paragraph 26WU(1)(b)).

Proposed subsection 26WU(2) provides a non-exhaustive list of factors that the Commissioner may consider to be the relevant matters.

Proposed subsection 26WU(4) provides that in a subsection 26WU(3) notice, the Commissioner must state the place and time which the information, document or answers must be provided.

Proposed subsection 26WU(5) outlines how the Commissioner may or must handle documents produced in response to the subsection 26WU(3) notice.

Proposed subsection 26WU(6) provides that the Commissioner must not exercise their power under proposed section 26WU where the Attorney-General has furnished to the Commissioner a certificate under section 70 certifying that the giving to the Commissioner of information concerning a specified matter, or the production to the Commissioner of a specified document or other record, would be contrary to the public interest.

Proposed subsection 26WU(7) ensures that a person or entity is not liable to a penalty under the provisions of any other Commonwealth law because they have given information, produced a document or answered a question to comply with a subsection 26WU(3) notice.

New powers to conduct assessments on compliance with the NBD scheme

Under section 33C of the Privacy Act, the Commissioner currently has a power to conduct an assessment of an entity’s compliance relating to various aspects of the Act, even in the absence of a breach of the Act or a privacy complaint having been made.[53] However, the Commissioner does not have a power to assess an entity’s compliance with the NDB scheme.

Proposed subparagraph 33C(1)(ca) (inserted by item 21 of the Bill) addresses this gap and provides the Commissioner a new power to conduct an assessment of an entity’s ability to comply with the NDB scheme in Part IIIC of the Privacy Act. This proposed amendment has adopted a similar amendment in the Online Privacy Bill Exposure Draft.[54]

Proposed paragraphs 33C(3)–(8) (inserted by item 22 of the Bill) provides information gathering powers and limitations on those powers similar to those in proposed sections 26WU discussed above.

New infringement notice powers to penalise failure to provide information

Item 38 of the Bill repeals the criminal penalty in existing subsection 66(1) of the Privacy Act and substitutes it with a civil penalty for a basic contravention which arises where a person is required to give information, answer a question, or produce a document or record under the Act, and refuses or fails to do so (for example, under proposed subsection 26WU(3), proposed paragraph 33C(3) or existing subsection 44(1) discussed above). The penalty is 60 penalty units for a person and 300 penalty units for a body corporate.

Item 44 of the Bill inserts proposed section 80UB. This allows the Commissioner or an SES employee of the OAIC (or equivalent) as an ‘infringement officer’ (pursuant to Part 5 of the Regulatory Powers (Standard Provisions) Act 2014) to issue an infringement notice instead of seeking a civil penalty for contraventions of proposed subsection 66(1).

The Explanatory Memorandum to the Bill posits that:

… Infringement notices will provide the Commissioner with a timely, cost-efficient enforcement outcome in relation to minor contraventions of section 66. The infringement notice provision will provide an alternative to litigation of a civil matter. This will enable the Commissioner to resolve privacy complaints and investigations more efficiently.[55]

Further, item 39 of the Bill inserts proposed subsection 66(1AA) to the Privacy Act. This creates a new offence for a corporation of engaging in conduct that constitutes a system of conduct or a pattern of behaviour that results in two or more contraventions of proposed subsection 66(1). This would enable the OAIC to refer matters to the Commonwealth Director of Public Prosecutions for more serious and systemic conduct of failing to provide information.[56] However, items 40 and 41 of the Bill amend subsection 66(1B) of the Privacy Act so that proposed subsection 66(1AA) is subject to the ‘reasonable excuse’ safeguard in existing subsection 66(1B).

These proposed new infringement notice powers to penalise failure to provide information also adopt similar amendments in the Online Privacy Bill Exposure Draft.[57]

Enhanced information sharing powers for the Commissioner

Power to share information with authorities

Proposed section 33A of the Privacy Act (inserted by item 20 of the Bill) provides the Commissioner the power to share information or documents with a receiving body for the purpose of the Commissioner or the receiving body exercising powers, or performing functions or duties (proposed subsection 33A(1)). The Explanatory Memorandum states that proposed section 33A is an authorisation by law for the purposes of APP 6.2(b).

Proposed subsection 33A(2) states that a receiving body may be:

  • an enforcement body (as defined in subsection 6(1))
  • an alternative complaint body (as defined in subsection 50(1))
  • a state or territory authority (as defined in subsection 6C(1)) or an authority of the government of a foreign country that has privacy functions.

Proposed subsection 33A(3) provides that the Commissioner may only share information or documents with a receiving body if:

  • the information or documents were acquired by the Commissioner in the course of exercising powers, or performing functions or duties under the Privacy Act and
  • the Commissioner is satisfied on reasonable grounds that the receiving body has satisfactory arrangements in place for protecting the information or documents.

Proposed subsection 33A(4) provides that if the Commissioner acquired the information or documents from an Australian Government agency (as defined in subsection 6(1)), the Commissioner may only share the information or documents with a receiving body that is also an Australian Government agency (and not a state or territory authority, or foreign body).

Proposed subsection 33A(5) provides that a receiving body may only use the information for the purposes for which it was shared.

Proposed subsection 33A(6) clarifies that the Commissioner is not required to transfer a complaint or part of a complaint to share information or documents with a receiving body.

These proposed amendments are in similar terms to those in the Online Privacy Bill Exposure Draft, although the present Bill inserts an additional safeguard that a receiving body may only use the information for the purposes for which it was shared (proposed subsection 33A(5)).[58]

In response to the Online Privacy Bill Exposure Draft (but not the present Bill), the Law Council of Australia raised concern that the Commissioner’s new information sharing power under proposed subsection 33A(1) of that Bill (which is identical to proposed subsection 33A(1) of the present Bill) may be too broad when used in conjunction with:

  • the Commissioner’s current power under existing section 33C of the Privacy Act to assess an entity’s compliance with certain parts of the Act in the absence of any breach of the Act or any complaint having been made
  • the Commissioner’s new information gathering power to issue a notice to produce information or a document relevant to an assessment under proposed paragraph 33C(3) of the Privacy Act (in the Online Privacy Bill).[59]

The Law Council of Australia’s concern appears to be centred on the prospect that information or documents which an entity is compelled to produce to the Information Commissioner (when exercising a compulsory information-gathering power) could then be disclosed by the Information Commissioner under proposed subsection 33A(1) of the Online Privacy Bill Exposure Draft (which is identical to proposed subsection 33A(1) of the present Bill) to a receiving body – even without the entity’s knowledge or consent, or having to consult the entity.

Further, it is unclear how the safeguard in proposed subsection 33A(5) of the present Bill, which requires that ‘a receiving body may only use the information for the purposes for which it was shared’ would have any practical significance in relation to a receiving body that is ‘an authority of the government of a foreign country that has privacy functions’ (proposed subparagraph 33A(2)(c)). For example, the Commissioner might be ‘satisfised on reasonable grounds’ that a foreign privacy regulator ‘has satisfactory arrangements in place for protecting the information or documents’ shared’ (proposed subparagraph 33A(3)(b)) before sharing the information or documents. However, once the information or documents is/are shared, the ‘safeguard’ in proposed subsection 33A(5) may not be operative if the foreign privacy regulator then proceeds to disclose or is compelled to disclose the information or documents to other government or law enforcement bodies in its jurisdiction for any secondary purposes (under the laws of its own jurisdiction or otherwise).

Powers to disclose certain information if in the public interest

Proposed subsection 33B(1) sets out the Commissioner’s power to disclose certain information acquired in the course of the Commissioner exercising powers or performing functions or duties under the Privacy Act if the Commissioner is satisfied the disclosure is in the public interest. The Explanatory Memorandum to the Bill provides that:

The purpose of subsection 33B(1) is to empower the Commissioner to disclose or publish information relating to privacy and personal information, for example information about an ongoing investigation on the OAIC’s website. This will ensure Australians are informed about privacy issues and to reassure the community that the OAIC is discharging its duties. Section 33B is an authorisation by law for the purposes of APP 6.2(b).

Proposed paragraph 33B(2)(a) sets out a list of public interest considerations that the Commissioner must consider before exercising their discretion under proposed subsection 33B(1):

  • the rights and interests of any complainant or respondent
  • whether the disclosure will or is likely to prejudice any investigation the Commissioner is undertaking
  • whether the disclosure will or is likely to disclose the personal information of any person
  • whether the disclosure will or is likely to disclose any confidential commercial information
  • whether the Commissioner reasonably believes that the disclosure would be likely to prejudice one or more enforcement related activities conducted by or on behalf of an enforcement body.

Proposed paragraph 33B(2)(b) sets out that the Commissioner may also have regard to any other matter the Commissioner considers relevant when determining if a disclosure is in the public interest.

Proposed subsection 33B(3) clarifies that section 33B does not limit the Commissioner’s other powers under the Privacy Act or any other Commonwealth laws to disclose information.

These proposed amendments adopt similar amendments in the Online Privacy Bill Exposure Draft, although that Bill proposes a general prohibition (with a few exceptions) on the Commissioner disclosing information about an eligible data breach.[60] However, that prohibition is not contained in the present Bill, which is likely a result of the recent high-profile data breaches. As the Explanatory Memorandum notes:

The purpose of subsection 33B(1) is to empower the Commissioner to disclose or publish information relating to privacy and personal information, for example information about an ongoing investigation on the OAIC’s website. This will ensure Australians are informed about privacy issues and to reassure the community that the OAIC is discharging its duties.[61]

The Commissioner’s proposed power to publish information about privacy issues or data breaches would likely be met with opposition from the regulated entity for reasons related to reputation and confidentiality. Speaking from the perspective as an entity that may be covered the Privacy Act in response to similar amendments in the Online Privacy Bill Exposure Draft, Meta noted:

We suggest that before exercising the right to share information in the public interest, the Information Commissioner should consult with any potentially affected parties and allow them to make submissions as to why all or some of the information should not be disclosed and to seek review of the Information Commissioner’s decision if necessary. Without this type of protection it will be much harder for regulated entities to be comfortable sharing information with the Information Commissioner on a voluntary basis, as there would be a heightened underlying risk of that information being shared outside an entity’s control.[62]

Both the Business Council of Australia and the Communications Alliance expressed concerns that information published by the Commissioner might include information supplied by regulated entities that is contestable in terms of accuracy, completeness or relevance. They recommended the similar proposed subsection 33B in the Online Privacy Bill Exposure Draft be amended to include a requirement for prior consultation with the person or entity that provided the relevant information or to whom the information relates, among other things.[63]

Enhanced determination powers for the Commissioner

Under the Privacy Act, the Commissioner has the power to make a determination after investigating a complaint, to dismiss the complaint or find that the complaint is substantiated (existing subsection 52(1)), or after conducting an investigation on the Commissioner’s own initiative (existing subsection 52(1A)).

Proposed subparagraph 52(1)(b)(iia) (inserted by item 29 of the Bill) sets out that after investigating a complaint, the Commissioner may find the complaint substantiated and make a determination that includes a declaration that the respondent must prepare and publish, or otherwise communicate, a statement about the conduct. The relevant requirements and processes are set out in proposed section 52A (inserted by item 33 of the Bill). Proposed paragraph 52(1A)(ba) (inserted by item 30 of the Bill) provides a similar power for the Commissioner’s determinations on Commissioner-initiated investigations.

Under existing subparagraph 52(1)(b)(ia) or existing paragraph 52(1A)(b), the Commissioner may make a determination that includes a declaration that a respondent must take specified steps within a specified period to ensure conduct (in relation to complaints), or an act or practice (in relation to Commissioner-initiated investigations) constituting an interference with an individual’s privacy is not repeated or continued.

Proposed subsection 52(1AAA) (inserted by item 31 of the Bill) specifically allows the Commissioner to make a determination that includes a requirement for the respondent to engage, in consultation with the Commissioner, a suitably independent and qualified adviser to assist this process. The adviser is to review the acts or practices engaged in by the respondent that were the subject of the complaint, the steps (if any) taken by the respondent to ensure that the conduct referred to in the determination is not repeated or continued, and any other matter specified in the declaration that is relevant to those acts or practices, or that complaint (proposed paragraph 52(1AAA)(a)). It appears this amendment formalises the legal basis for a practice that the Commissioner has already used in some of her recent determinations.[64]

These proposed amendments to the Commissioner’s determinations powers adopt similar amendments in the Online Privacy Bill Exposure Draft.[65]