Federal Government announces reforms to Privacy Act to increase penalties for data breaches

March 24, 2019 |

There is nothing quite like the combination of a Government under stress and high profile privacy breaches to channel the inner reform in what was otherwise a reluctant Attorney General on matters privacy.

The Attorney General has been widely reported as flagging increased fines for serious and repeated interferences with privacy, from $2.1 to 10 million.  Alternatively the fine will be calculated on turnover or value of the misuse.  The flagged amendments will also permit the Australian Information Commissioner to issue infringement notices for minor data breaches.  As importantly the Commissioner will get $25 million to ramp up investigations of data breaches.

The media release provides:

Attorney-General, Christian Porter and Minister for Communications and the Arts, Mitch Fifield, announced the new penalty regime under the Privacy Act and other measures to ensure Australians were protected online and that major social media companies took action to protect the personal information they collect about Australians, particularly children.

“Existing protections and penalties for misuse of Australians’ personal information under the Privacy Act fall short of community expectations, particularly as a result of the explosion in major social media and online platforms that trade in personal information over the past decade,” the Attorney-General said.

“What the Morrison Government is doing today is outlining a new regime of protections for Australians and penalties for those who misuse Australians’ personal information.  This regime will update our privacy laws without impeding the continued innovation and development of companies working in the online space.”

Minister for Communications and the Arts, Mitch Fifield, said it was clear the Australian community enjoyed using social media and technology platforms, but was increasingly concerned about how personal data is captured, analysed and shared. This was particularly the case for children and members of other vulnerable community segments, he said.

“The tech industry needs to do much more to protect Australians’ data and privacy,” Minister Fifield said.

“Today we are sending a clear message that this Government will act to ensure consumers have their privacy respected and we will punish those firms and platforms who defy our norms and our laws.”

The amendments to the Privacy Act will:

  • Increase penalties for all entities covered by the Act, which includes social media and online platforms operating in Australia, from the current maximum penalty of $2.1 million for serious or repeated breaches to $10 million or three times the value of any benefit obtained through the misuse of information or 10 per cent of a company’s annual domestic turnover – whichever is the greater
  • Provide the Office of the Australian Information Commissioner (OAIC) with new infringement notice powers backed by new penalties of up to $63,000 for bodies corporate and $12,600 for individuals for failure to cooperate with efforts to resolve minor breaches
  • Expand other options available to the OAIC to ensure breaches are addressed through third-party reviews, and/or publish prominent notices about specific breaches and ensure those directly affected are advised
  • Require social media and online platforms to stop using or disclosing an individual’s personal information upon request
  • Introduce specific rules to protect the personal information of children and other vulnerable groups.

“This penalty and enforcement regime will be backed by legislative amendments which will result in a code for social media and online platforms which trade in personal information. The code will require these companies to be more transparent about any data sharing and requiring more specific consent of users when they collect, use and disclose personal information,” the Attorney-General said.

“We will also be requiring platforms to implement a mechanism to ensure they can take all reasonable action to stop using an individual’s personal information if a user requests them to do so and have even stronger regimes to address these issues when the user is a child or other vulnerable person.”

The OAIC will be provided with an additional $25 million over three years to give it the resources it needs to investigate and respond to breaches of individuals’ privacy and oversee the online privacy rules.

Legislation will be drafted for consultation in the second half of 2019.

“This new regime builds on other Government initiatives to improve online safety and provide Australians with greater control over their personal data, including the Online Safety Charter and Online Safety Research program, and the Consumer Data Right,” the Attorney-General said.

“The draft legislation will also incorporate any relevant findings of the current Digital Platforms inquiry by the Australian Competition and Consumer Commission which is due to issue its final reportin June 2019.  Whilst focused on the impact of large digital media platforms on competition in news media, it is also touching on privacy-related issues and, in its interim report late last year, recommended the tougher penalty regime being outlined today by the Morrison Government.”

The Australian has the best coverage to date in Tech giants face bigger penalties for online data breaches which provides:

Tech giants such as Google and Facebook will face far stronger penalties if they breach privacy laws, under sweeping changes proposed to help protect information about Australians.

Social media companies and online platforms that seriously or repeatedly breach privacy laws would be fined $10 million under the reforms, marking a big jump from the current penalty of $2.1 million.

Alternatively, they could be charged three times the value of any benefit obtained by misusing information or 10 per cent of their annual domestic turnover, depending on which figure is greatest.

Online companies would also be required to stop using or disclosing personal information about individuals upon request.

The changes will be made through amendments to the Privacy Act. Attorney-General Christian Porter says the act needs updating after the boom in recent years of online companies trading in personal information. “Existing protections and penalties for misuse of Australians’ personal information under the Privacy Act fall short of community expectations,” he said in a statement on Sunday.

Under the proposed changes, the Australian Information Commissioner would also be given new powers to issue infringement notices for those who fail to co-operate with efforts to resolve minor data breaches.

Companies would be charged $63,000 and individuals could be fined $12,600. The government also wants to give the commissioner more options to ensure breaches are addressed, including through reviews and publishing public statements about specific breaches.

The commissioner will also be provided $25 million over three years to ramp up its investigations of privacy breaches.

Legislation to make the changes will be drafted ahead of community consultation in the second half of the year.

There has been a reasonable pick up with SBS’s Bigger penalties for online data breaches, a piece by the illustrious Katherine Times, and Perth Now amongst many others.

The underlying problem with the mooted reforms is that giving more powers to a timid regulator does not change its fundamental outlook.  The Information Commissioner and her predecessors have been heavy on process and light on action.  There has been more of the little energy found in that office given over to writing guidelines than bringing civil penalty proceedings and other enforcement action.  That is not because there is a lack of targets for action.  The Attorney General’s statement as much as regular reports make that clear. It is just that the Office is not much good as a regulator.  Much as the Banking Royal Commission showed up many regulators of banks and other financial institutions were shown up as inept, captured in mind if not body and ineffective regulators.  Unfortunately APRA and ASIC, the main regulators of banks were much more active in their space than the Information Commissioner in the regulation of the Privacy Act.

Leave a Reply