Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 introduced into the House of Representatives

October 26, 2022 |

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 was introduced into the House of Representatives by the Attorney General earlier today.

The amendments will provide the Commissioner with new powers including, but not limited to:

  • The commissioner will have “new information-gathering powers regarding  the notifiable data breache reporting and notification requirements.
  • The commissioner will have … information-gathering powers to conduct assessments of organisations’ practices.
  • the Commissioner will have powers to issue a direction for the entity to notify individuals who have been affected by a data breach
  • the Commissioner will have infringement notice powers.

The Commissioner being provided with infringement notice powers brings the Australian regulation more in line with the UK legislation where the UK Commissioner can issue monetary penalty notices.  Similarly the Federal Trade Commission has a different process but has a similarly quicker way of imposing penalties.  It will be critical for businesses and organisations to understand their obligations otherwise they may be the subject of significant financial penalty, not to mention the reputational damage that comes with that.

Itnews has undertaken a reasonable summation, from a lay perspective, of the proposed amendments in  Privacy Act amendments land in parliament which provides:

The federal government has introduced amendments to beef up the Privacy Act.

Foreshadowed earlier this month following the Optus data breach, the amendments were introduced to the House of Representatives this morning by Attorney General Mark Dreyfus.

As promised, the amendments include higher fines for serious privacy breaches; a strengthened notifiable data breaches scheme; enhanced enforcement powers for the Australian Information Commissioner; and greater information sharing arrangements.

“The novel privacy challenges posed by the rise of digital platforms and the unprecedented volume and variety of data that these platforms collect from users underscores the importance of reforming our privacy laws,” Dreyfus said.

The current $2.2 million fines available to the Australian information commissioner are inadequate, with Dreyfus echoing statements by commissioner Angelene Falk that the fines must be more than “simply the cost of doing business”.

The new fines proposed in the legislation would be “not more than the greater of $50 million, three times the value of any benefit obtained through the misuse of the information, or, if the value of the benefit obtained cannot be determined, 30 percent of a company’s domestic turnover in the relevant period.”

The amendments to the notifiable data breaches scheme will empower the Australian information commissioner to assess an entity’s compliance with the scheme.

The commissioner will also have “new information-gathering powers in regards to the scheme’s reporting and notification requirements,” Dreyfus said.

“This is necessary to provide the information commissioner with a comprehensive understanding of the information compromised in a breach in order to assess the particular risks to individuals, and take actions such as issue a direction for the entity to notify individuals who have been affected by a data breach.”

The commissioner will also be given the power to publish notice about specific privacy breaches, “or otherwise ensure those directly affected are informed”.

The commissioner will have the power to compel entities to improve their practices, supported by information-gathering powers to conduct assessments.

New infringement notice powers will let the commissioner deal with non-compliant organisations, “without the need to engage in protracted litigation”.

The bill is also amending the Privacy Act’s extraterritorial provisions, so that “even if foreign organisations do not collect or hold Australians’ information directly from a source in Australia, they must still meet the obligations under the Privacy Act so long as they ‘carry on a business’ in Australia.”

Finally, information sharing will be bolstered in two ways.

The commissioner will have “an express power” to publish the determinations it makes following a privacy investigation, as well as updates into ongoing investigations.

There will also be a power to share information with enforcement bodies, other complaints bodies, privacy regulators; and “the Australian Communications and Media Authority will also be provided better powers to share information within government for enforcement purposes.”

The Bill provides:

Australian Communications and Media Authority Act 2005

1  At the end of subsection 59D(1)

Add:

                   ; (q)  a non-corporate Commonwealth entity (within the meaning of the Public Governance, Performance and Accountability Act 2013 ) not otherwise covered by this subsection that is responsible for enforcing one or more laws of the Commonwealth.

Australian Information Commissioner Act 2010

2  Section 25

Omit “The”, substitute “(1) Subject to subsection (2), the”.

3  Paragraphs 25(e), (g) and (h)

Repeal the paragraphs.

4  Paragraph 25(k)

Omit “ 1988 ;”, substitute “ 1988 .”.

5  Paragraph 25(l)

Repeal the paragraph.

6  At the end of section 25

Add:

             (2)  The Information Commissioner may only delegate the following functions or powers to a member of staff of the Office of the Australian Information Commissioner who is an SES employee, or an acting SES employee, or who holds, or is acting in, a position that is equivalent to, or higher than, a position occupied by an SES employee:

                     (a)  the function conferred by section 55K of the Freedom of Information Act 1982 (making a decision on an IC review);

                     (b)  the function conferred by section 73 of the Freedom of Information Act 1982 (discretion not to investigate a complaint);

                     (c)  the function conferred by section 86 of the Freedom of Information Act 1982 (obligation to notify on completion of investigation);

                     (d)  making determinations for the purposes of section 52 of the Privacy Act 1988 .

7  Paragraph 29(2)(a)

Repeal the paragraph, substitute:

                     (a)  both of the following apply:

                              (i)  the information was acquired by the person in the course of performing an information commissioner function or exercising a related power;

                             (ii)  the person records, discloses or otherwise uses the information in the course of performing an information commissioner function or exercising a related power; or

                    (aa)  both of the following apply:

                              (i)  the information was acquired by the person in the course of performing a freedom of information function or exercising a related power;

                             (ii)  the person records, discloses or otherwise uses the information in the course of performing a freedom of information function or exercising a related power; or

                   (ab)  both of the following apply:

                              (i)  the information was acquired by the person in the course of performing a privacy function or exercising a related power;

                             (ii)  the person records, discloses or otherwise uses the information in the course of performing a privacy function or exercising a related power; or

8  Paragraph 29(2)(aa)

Reletter as paragraph (ac).

Privacy Act 1988

9  Paragraph 5B(3)(b)

Omit “Territory;”, substitute “Territory.”.

10  Paragraph 5B(3)(c)

Repeal the paragraph.

11  Subsection 6(1)

Insert:

alternative complaint body has the meaning given by subsection 50(1).

related body corporate : see subsection (8).

12  Section 13G

Before “An”, insert “(1)”.

13  Section 13G (penalty)

Repeal the penalty.

14  At the end of section 13G

Add:

             (2)  The amount of the penalty for a contravention of subsection (1) by a person other than a body corporate is an amount not more than é?2,500,000.

             (3)  The amount of the penalty for a contravention of subsection (1) by a body corporate is an amount not more than the greater of the following:

                     (a)  é?50,000,000;

                     (b)  if the court can determine the value of the benefit that the body corporate, and any related body corporate, have obtained directly or indirectly and that is reasonably attributable to the conduct constituting the contravention—3 times the value of that benefit;

                     (c)  if the court cannot determine the value of that benefit—30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention.

             (4)  Subsection (3) applies despite paragraph 82(5)(a) of the Regulatory Powers Act.

             (5)  For the purposes of paragraph (3)(c), the adjusted turnover of a body corporate during a period is the sum of the values of all the supplies that the body corporate, and any related body corporate, have made, or are likely to make, during the period, other than:

                     (a)  supplies made from any of those bodies corporate to any other of those bodies corporate; or

                     (b)  supplies that are input taxed; or

                     (c)  supplies that are not for consideration (and are not taxable supplies under section 72-5 of the A New Tax System (Goods and Services Tax) Act 1999 ); or

                     (d)  supplies that are not made in connection with an enterprise that the body corporate carries on; or

                     (e)  supplies that are not connected with the indirect tax zone.

             (6)  Expressions used in subsection (5) that are also used in the A New Tax System (Goods and Services Tax) Act 1999 have the same meaning as in that Act.

             (7)  For the purposes of paragraph (3)(c), the breach turnover period for a contravention means the longer of the following periods:

                     (a)  the period of 12 months ending at the end of the month in which the contravention ceased, or proceedings in relation to the contravention were instituted (whichever is earlier);

                     (b)  the period:

                              (i)  starting at the beginning of the month in which the contravention occurred or began occurring; and

                             (ii)  ending at the same time as the period determined under paragraph (a).

15  Subparagraphs 25(1)(a)(i) and 25A(1)(a)(i)

Omit “this Act (other than section 13G)”, substitute “this Part”.

16  At the end of section 26WA

Add:

â?¢      The Commissioner may obtain information or documents in relation to actual or suspected eligible data breaches.

17  Paragraphs 26WK(3)(c) and 26WR(4)(c)

After “the”, insert “particular”.

18  At the end of Part IIIC

Add:

Division 4 — Commissioner’s powers to obtain information or documents relating to eligible data breaches

26WU   Power to obtain information and documents relating to eligible data breaches

             (1)  This section applies if the Commissioner has reason to believe that a person or entity has information or documents, or can answer questions, that are relevant to either or both of the following matters (the relevant matters ):

                     (a)  an actual or suspected eligible data breach of an entity;

                     (b)  an entity’s compliance with the requirements in Division 3 of this Part.

             (2)  Without limiting subsection (1), the relevant matters may relate to one or more of the following:

                     (a)  whether the entity is required to comply with one or more of those requirements;

                     (b)  the conduct or events that led to, or may have led to, the application of one or more of those requirements to the entity;

                     (c)  the actions taken by the entity to comply with one or more of those requirements;

                     (d)  the actual or suspected eligible data breach that has, or may have, happened;

                     (e)  the particular kind or kinds of information involved in the actual or suspected eligible data breach;

                      (f)  the steps taken to notify individuals affected by the actual or suspected eligible data breach.

             (3)  The Commissioner may give to the person or entity a written notice requiring the person or entity:

                     (a)  to give information of the kind specified in the notice to the Commissioner that relates to the matter; or

                     (b)  to produce documents of the kind specified in the notice to the Commissioner that relate to the matter; or

                     (c)  answer questions of the kind specified in the notice to the Commissioner that relate to the matter.

Note:          For a failure to give information etc., see section 66.

             (4)  A notice given by the Commissioner under subsection (3) must state:

                     (a)  the place at, or manner in which, the information or document is to be given or produced or the questions are to be answered; and

                     (b)  the time at which, or the period within which, the information or document is to be given or produced or the questions are to be answered.

             (5)  If documents are produced to the Commissioner in accordance with a requirement under subsection (3), the Commissioner:

                     (a)  may take possession of, and may make copies of, or take extracts from, the documents; and

                     (b)  may retain possession of the documents for any period that is necessary for the purposes of assessing an entity’s compliance with this Part; and

                     (c)  during that period must permit a person who would be entitled to inspect any one or more of the documents if they were not in the Commissioner’s possession to inspect at all reasonable times any of the documents that the person would be so entitled to inspect.

             (6)  This section is subject to section 70 but it has effect regardless of any other Commonwealth law.

             (7)  A person or entity is not liable to a penalty under the provisions of any other Commonwealth law because the person or entity gives information, produces a document or answers a question when required to do so under this section.

19  Division 3 of Part IV (heading)

Repeal the heading, substitute:

Division 3 — Reports and information sharing by Commissioner

20  At the end of Division 3 of Part IV

Add:

33A   Commissioner may share information with other authorities

             (1)  Subject to subsections (3) and (4), the Commissioner may share information or documents with a body covered by subsection (2) (a receiving body ):

                     (a)  for the purpose of the Commissioner exercising powers, or performing functions or duties, under this Act; or

                     (b)  for the purpose of the receiving body exercising its powers, or performing its functions or duties.

             (2)  The following bodies are covered by this subsection:

                     (a)  an enforcement body;

                     (b)  an alternative complaint body;

                     (c)  a State or Territory authority, or an authority of the government of a foreign country, that has functions to protect the privacy of individuals (whether or not the authority has other functions).

             (3)  The Commissioner may only share information or documents with a receiving body under this section if:

                     (a)  the information or documents were acquired by the Commissioner in the course of exercising powers, or performing functions or duties, under this Act; and

                     (b)  the Commissioner is satisfied on reasonable grounds that the receiving body has satisfactory arrangements in place for protecting the information or documents.

             (4)  If the Commissioner acquired the information or documents from an agency, the Commissioner may only share the information or documents with a receiving body under this section if the receiving body is an agency.

             (5)  If information is shared with a receiving body under this section, the receiving body may use the information only for the purposes for which it was shared.

             (6)  To avoid doubt, the Commissioner may share information or documents with a receiving body under this section whether or not the Commissioner is transferring a complaint or part of a complaint to the body.

33B   Commissioner may disclose certain information if in the public interest etc.

Information may generally be disclosed if in the public interest

             (1)  The Commissioner may disclose information acquired by the Commissioner in the course of exercising powers or performing functions or duties under this Act if the Commissioner is satisfied that it is in the public interest to do so.

Public interest considerations

             (2)  In determining under subsection (1) whether the Commissioner is satisfied that a disclosure is in the public interest, the Commissioner:

                     (a)  must have regard to the following:

                              (i)  the rights and interests of any complainant or respondent;

                             (ii)  whether the disclosure will, or is likely to, prejudice any investigation the Commissioner is undertaking;

                            (iii)  whether the disclosure will, or is likely to, disclose the personal information of any person;

                            (iv)  whether the disclosure will, or is likely to, disclose any confidential commercial information;

                             (v)  whether the Commissioner reasonably believes that the disclosure would be likely to prejudice one or more enforcement related activities conducted by or on behalf of an enforcement body; and

                     (b)  may have regard to any other matter the Commissioner considers relevant.

             (3)  This section does not limit any other powers the Commissioner has to disclose information under this Act or any other law of the Commonwealth.

21  After paragraph 33C(1)(c)

Insert:

                    (ca)  the ability of an entity subject to Part IIIC to comply with that Part, including the extent to which the entity has processes and procedures in place to:

                              (i)  assess suspected eligible data breaches; and

                             (ii)  provide notice of eligible data breaches to the Commissioner and to individuals at risk from such breaches;

22  At the end of section 33C

Add:

             (3)  Without limiting subsection (2), if the Commissioner has reason to believe that an entity or file number recipient being assessed has information or a document relevant to the assessment the Commissioner may, by written notice, require the entity or file number recipient to give the information or produce the document within the period specified in the notice, which must not be less than 14 days after the notice is given to the entity or file number recipient.

Note:          For a failure to give information etc., see section 66.

             (4)  The Commissioner must not give a notice under subsection (3) unless the Commissioner is satisfied that it is reasonable in the circumstances to do so, having regard to the following:

                     (a)  the public interest;

                     (b)  the impact on the entity or file number recipient of complying with the notice;

                     (c)  any other matters that the Commissioner considers relevant.

             (5)  An enforcement body is not required to comply with a notice given by the Commissioner under subsection (3) if the chief executive officer of the enforcement body believes on reasonable grounds that compliance with the notice would be likely to prejudice one or more enforcement related activities conducted by or on behalf of the enforcement body.

             (6)  Subsection (3) is subject to section 70 but it has effect regardless of any other Commonwealth law.

             (7)  A person or entity is not liable to a penalty under the provisions of any other Commonwealth law because the person or entity gives information or produces a document when required to do so under subsection (3).

             (8)  The Commissioner may publish information relating to an assessment on the Commissioner’s website.

23  At the end of subsection 44(1)

Add:

Note:          For a failure to give information etc., see section 66.

24  At the end of subsection 46(4)

Add:

Note:          For a failure to give information etc., see section 66.

25  At the end of subsection 47(1)

Add:

Note:          For a failure to give information etc., see section 66.

26  Subsection 50(1)

Omit “In this section”, substitute “In this Act”.

27  Subsection 50(1) (after paragraph (b) of the definition of alternative complaint body )

Insert:

                   (ba)  the eSafety Commissioner; or

28  Subsection 50(1) (definition of Ombudsman )

Repeal the definition.

29  After subparagraph 52(1)(b)(ii)

Insert:

                   (iia)  a declaration that the respondent must prepare and publish, or otherwise communicate, a statement about the conduct (see section 52A);

30  After paragraph 52(1A)(b)

Insert:

                   (ba)  a declaration that the respondent must prepare and publish, or otherwise communicate, a statement about the conduct (see section 52A);

31  After subsection 52(1A)

Insert:

    (1AAA)  Without limiting subparagraph (1)(b)(ia) or paragraph (1A)(b), the steps specified by the Commissioner may include a requirement for the respondent to:

                     (a)  engage, in consultation with the Commissioner, a suitably qualified independent adviser to review:

                              (i)  the acts or practices engaged in by the respondent that were the subject of the complaint; and

                             (ii)  the steps (if any) taken by the respondent to ensure that the conduct referred to in the determination is not repeated or continued; and

                            (iii)  any other matter specified in the declaration that is relevant to those acts or practices, or that complaint; and

                     (b)  provide a copy of the review to the Commissioner.

32  After subsection 52(5)

Insert:

          (5A)  The Commissioner may publish a determination made under this section on the Commissioner’s website.

33  After section 52

Insert:

52A   Determination—requirement to notify conduct constituting interference with privacy of individual

             (1)  If a determination under section 52 includes a declaration mentioned in subparagraph 52(1)(b)(iia) or paragraph 52(1A)(ba), the respondent must, within 14 days after receiving the determination (or such longer period as the Commissioner allows):

                     (a)  prepare a statement, in consultation with the Commissioner, setting out:

                              (i)  the identity and contact details of the respondent or, if the respondent is the principal executive of an agency, the agency; and

                             (ii)  a description of the conduct engaged in by the respondent that constitutes the interference with the privacy of an individual; and

                            (iii)  the steps (if any) undertaken, or to be undertaken, by the respondent to ensure the conduct is not repeated or continued; and

                            (iv)  any other information required by the declaration to be included in the statement; and

                     (b)  if required by the declaration—give a copy of the statement to the complainant or, if the complaint is a representative complaint, to each class member identified as affected by the determination, in the manner specified by the declaration; and

                     (c)  if required by the declaration—publish, or otherwise communicate, the statement in the manner specified by the declaration; and

                     (d)  give the Commissioner, within 14 days after the end of the period specified in the declaration, evidence that the actions required by paragraphs (b) and (c) were taken in accordance with this section and the declaration.

             (2)  The matters specified by the Commissioner for the purposes of subsection (1) must be reasonable and appropriate.

34  Division 3 of Part V (heading)

Repeal the heading, substitute:

Division 3 — Enforcement of determinations

35  At the end of section 55

Add:

             ; and (d)  must prepare and publish, or otherwise communicate, a statement in accordance with a declaration included in the determination under subparagraph 52(1)(b)(iia) or paragraph 52(1A)(ba) and section 52A.

36  At the end of section 58

Add:

             ; and (d)  must prepare and publish, or otherwise communicate, a statement in accordance with a declaration included in the determination under subparagraph 52(1)(b)(iia) or paragraph 52(1A)(ba) and section 52A.

37  At the end of section 59

Add:

             ; and (d)  the preparation, publishing or communicating of a statement in accordance with a declaration included in the determination under subparagraph 52(1)(b)(iia) or paragraph 52(1A)(ba) and section 52A.

38  Subsection 66(1)

Repeal the subsection, substitute:

Basic contravention

             (1)  A person contravenes this subsection if:

                     (a)  the person is required to give information, answer a question or produce a document or record under this Act; and

                     (b)  the person refuses or fails to do so.

Civil penalty:          60 penalty units.

39  After subsection 66(1)

Insert:

Multiple contraventions

       (1AA)  A person commits an offence if:

                     (a)  the person is a corporation; and

                     (b)  the person engages in conduct that constitutes a system of conduct or a pattern of behaviour; and

                     (c)  the system of conduct or pattern of behaviour results in 2 or more contraventions of subsection (1).

Penalty:  300 penalty units.

40  Subsection 66(1B)

After “(1)”, insert “or (1AA)”.

41  Subsection 66(1B) (note)

Repeal the note, substitute:

Note:          A person who wishes to rely on this subsection bears an evidential burden in relation to the matter in this subsection: see subsection 13.3(3) of the Criminal Code and section 96 of the Regulatory Powers Act.

42  Paragraph 67(b)

Omit “, whether or not pursuant to a requirement under section 44”.

43  Subsection 70(1)

Omit “is not entitled to require”, substitute “must not exercise a power under this Act that requires”.

44  After Division 1 of Part VIB

Insert:

Division 1A — Infringement notices

80UB   Infringement notices

Provisions subject to an infringement notice

             (1)  Subsection 66(1) of this Act is subject to an infringement notice under Part 5 of the Regulatory Powers Act.

Note:          Part 5 of the Regulatory Powers Act creates a framework for using infringement notices in relation to provisions.

Infringement officer

             (2)  For the purposes of Part 5 of the Regulatory Powers Act, each of the following is an infringement officer in relation to the provision mentioned in subsection (1):

                     (a)  the Commissioner;

                     (b)  a member of the staff of the Commissioner who holds, or is acting in, an office or position that is equivalent to an SES employee.

Relevant chief executive

             (3)  For the purposes of Part 5 of the Regulatory Powers Act, the Commissioner is the relevant chief executive in relation to the provision mentioned in subsection (1).

Extension to external Territories

             (4)  Part 5 of the Regulatory Powers Act, as that Part applies in relation to the provision mentioned in subsection (1), extends to every external Territory.

45  Application of amendments

The Explanatory Memorandum provides:

General Outline

    1.                   The Bill amends the Privacy Act 1988 (Privacy Act), the Australian Information Commissioner Act 2010 (AIC Act) and the Australian Communications and Media Authority Act 2005 (ACMA Act) to increase penalties under the Privacy Act, provide the Australian Information Commissioner (the Commissioner) with greater enforcement powers, and provide the Commissioner and the Australian Communications and Media Authority (ACMA) with greater information sharing powers.

Increased penalties

    1.                   The Bill will increase the penalty under section 13G of the Privacy Act for serious or repeated interferences with privacy to $2.5 million for a person other than a body corporate, and for a body corporate the maximum penalty will increase to an amount not exceeding the greater of $50 million; three times the value of the benefit obtained; or, if the court cannot determine the value of the benefit, 30% of their adjusted turnover in the relevant period.

Enhanced enforcement powers

    1.                   The Bill will provide the Office of the Australian Information Commissioner (OAIC) with enhanced enforcement powers, including by:
    2.        expanding the types of declarations that the Commissioner can make in a determination at the conclusion of an investigation
    3.       amending the extraterritorial jurisdiction of the Privacy Act to ensure foreign organisations that carry on a business in Australia must meet the obligations under the Act, even if they do not collect or hold Australians’ information directly from a source in Australia
    4.        providing the Commissioner with new powers to conduct assessments
    5.       providing the Commissioner new infringement notice powers to penalise entities for failing to provide information without the need to engage in protracted litigation, and
    6.        strengthening the Notifiable Data Breaches scheme to ensure the Commissioner has comprehensive knowledge of the information compromised in an eligible data breach to assess the particular risk of harm to individuals.

Enhanced information sharing powers

    1.                   The Bill will enhance the Commissioner’s ability to share information by:
    2.        clarifying that the Commissioner is able to share information gathered through the Commissioner’s information commissioner functions, freedom of information functions and privacy functions
    3.       providing the Commissioner with the power to disclose information or documents with an enforcement body, an alternative complaint body, and a State, Territory or foreign privacy regulator for the purpose of the Commissioner or the receiving body exercising their powers, or performing their functions or duties, and
    4.        providing the Commissioner with the power to publish a determination or information relating to an assessment on the Commissioner’s website; and disclose all other information acquired in the course of exercising powers or performing functions or duties if it is in the public interest.
    5.       The Bill will also amend the ACMA Act to expand ACMA’s ability to share information to any non-corporate Commonwealth entity (as defined in section 11 of the Public Governance, Performance and Accountability Act 2013 ) responsible for enforcing a Commonwealth law where the information will enable or assist the entity to perform or exercise any of its functions or powers.  

Delegations  

    1.                   The Bill will amend the AIC Act to allow the Commissioner to delegate certain functions or powers to a member of staff of the OAIC.

FINANCIAL IMPACT

  1.                   This Bill may increase Commonwealth revenue due to increased penalties. This will be dependent on the number and quantum of successful civil penalty orders sought by the Commissioner.

Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022

    1.                   This Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 .

Overview of the Bill

    1.                   The Bill contains a range of measures to enhance the protection of personal information, including amendments to:
    2.        increase penalties under the Privacy Act 1988 (Privacy Act)
  1.       strengthen the Australian Information Commissioner’s (the Commissioner’s) enforcement powers, and
  2.        provide the Commissioner and Australian Communications and Media Authority (ACMA) with greater information sharing arrangements.

Human rights implications

    1.                   This Bill engages the following rights:
    2.        the right to privacy in Article 17 of the International Covenant on Civil and Political Rights (ICCPR), and
    3.       the right to a fair trial under Article 14 of the ICCPR.

Increased penalties and enforcement powers

Right to protection against arbitrary or unlawful interference with privacy

    1.                   The Bill promotes the right to privacy by strengthening the protection of the law against unlawful interferences with privacy. The Bill expands the mechanisms available to the Commissioner to enforce the protections provided under the Privacy Act for a wide range of situations in which an unlawful interference with privacy can occur.
    2.                   The Bill strengthens the protection of the law against unlawful interferences with privacy by:
    3.        Increasing the maximum civil penalty for serious or repeated interferences with privacy.
    4.                                                                     This measure is privacy enhancing. To promote effective deterrence, it is essential for the Privacy Act to provide meaningful sanctions for any conduct interfering with an individual’s privacy.
    5.       Creating a new provision allowing the Commissioner to issue an infringement notice for a failure to give information, answer a question or produce a document or record when required to do so (with associated additional civil penalty provisions). A separate criminal penalty has been created if a body corporate engages in conduct which constitutes a system of conduct or pattern of behaviour.
    6.                                                                     This measure is privacy enhancing. Providing the Commissioner new infringement notice powers to penalise entities for failing to provide information without the need to engage in protracted litigation will allow the Commissioner to resolve matters more efficiently.
    7.        To complement the Commissioner’s existing power to make a declaration in a determination that a respondent must take specified steps to ensure conduct constituting an interference with privacy is not repeated or continued, the Commissioner will be empowered to require the respondent to engage an independent and suitably qualified adviser to assist this process. Additionally, the Commissioner may require the respondent to prepare and/or publish a statement about the conduct that led to the interference with privacy.
    8.                                                                     These measures are privacy enhancing. Engaging an adviser will assist entities ensure the non-compliance can be appropriately remediated, and preparing and publishing a statement about the conduct will provide Australians with greater visibility of emerging privacy issues and whether an entity who holds their personal information has breached the Privacy Act.
    9.       Empowering the Commissioner to conduct an assessment of an entity’s compliance with the Privacy Act’s Notifiable Data Breaches (NDB) scheme, and providing the Commissioner with a new information gathering power for the purposes of conducting an assessment of any kind and assessing an actual or suspected eligible data breach.
    10.                                                                     These measures are privacy enhancing. Being able to undertake an assessment of an entity’s compliance with the NDB scheme will ensure entities are meeting the scheme’s reporting and notification requirements, which provides individuals with transparency and assists them in taking steps to protect their privacy. Information gathering powers are necessary to provide the Commissioner with a comprehensive understanding of an entity’s practices to understand the full extent of a breach or an emerging issue.
    11.        Strengthening the NDB scheme to ensure the Commissioner has comprehensive knowledge of the information compromised in an eligible data breach to assess the particular risk of harm to individuals.
    12.                                                                     This measure is privacy enhancing as it will ensure the Commissioner is able to assess the particular risk of harm to individuals, and whether the recommendations about the steps that individuals should take in response to the eligible data breach outlined in a notification are sufficient.
    13.                   The Bill promotes the right to privacy by ensuring that the Commissioner’s enforcement mechanisms and penalties are adequate to protect the privacy of Australians.

Right to a fair trial

    1.                   Article 14 of the ICCPR guarantees a person be afforded, in the determination of any criminal charge against them, the right to a fair trial. The United Nations Human Rights Committee has indicated that the right to a fair trial under Article 14 may extend to acts that are ‘criminal in nature with sanctions that, regardless of their qualification in domestic law, must be regarded as penal because of their purpose, character or severity’ (see General Comment No, 32, para 15; Communication No. 1015/2001, Perterer v. Austria , at para 9.2). The substance of the civil penalties, criminal offences and fair hearing guarantees in the Bill are relevant to ICCPR Article 14. Schedule 1 of the Bill engages the right to a fair trial.

Section 13G – civil penalties

    1.                   Under the prevailing law, the maximum civil penalty for serious or repeated interferences with privacy is 2,000 penalty units (section 13G of the Privacy Act) — which, on the current penalty unit value, is a maximum civil penalty of $2.22 million for bodies corporate and $444,000 for other entities regulated by the Privacy Act. These penalties fall short of community expectations, particularly if it is large multinational organisations being penalised, and given the potential financial and emotional harm of serious or repeated breaches.
    2.                   The Bill will increase the maximum civil penalty to $2.5 million for a person other than a body corporate. For bodies corporate, the maximum penalty will increase to an amount not exceeding the greater of $50 million; three times the value of the benefit obtained by the body corporate from the conduct constituting the serious or repeated interference with privacy; or, if the value cannot be determined, 30% of their adjusted turnover in the relevant period.
    3.               These changes are consistent with the proposed maximum penalties under the Australian Consumer Law (ACL) in the Treasury Laws Amendment (More Competition, Better Prices) Bill 2022. The Australian Competition and Consumer Commission’s Digital Platforms Inquiry July 2019 report recommended that the maximum penalties of the Privacy Act should be increased to mirror the penalties for breaches of the ACL as the lack of effective deterrence has enabled problematic data practices.
    4.               Further, the Privacy Act applies appropriate safeguards that exist in the Regulatory Powers (Standard Provisions) Act 2014 (Regulatory Powers Act) that protect the rights expressed in Article 14. Section 80U of the Privacy Act and Part 4 of the Regulatory Powers Act provide that in determining pecuniary penalties a court must take all relevant matters into account, including the circumstances of the contravention, the nature and extent of any loss or damage suffered because of the contravention and whether the entity has previously been found to have engaged in similar conduct. Where conduct contravenes more than one civil penalty provision, proceedings may be commenced in relation to each contravention; however, the entity (or person) cannot be liable for more than one penalty in relation to that conduct.
    5.               The maximum penalty for a body corporate is significantly higher than that imposed on a person other than a body corporate. This is necessary to sufficiently deter breaches of privacy, particularly for large digital platforms, and ensure that individuals are adequately protected. By strengthening penalties, Australia will be signalling its expectations that businesses undertake robust privacy and security practices.
    6.               For these reasons, the level of civil penalties which apply under section 13G are a reasonable and proportionate response to the behaviours the penalties are intended to deter and penalise.

Section 66 – civil and criminal penalties

    1.               Under the prevailing law, the criminal penalty for a person refusing or failing to give information, or answer a question or produce a document or record when required to do so under the Privacy Act, is imprisonment for 12 months or 20 penalty units or both for an individual, or 100 penalty units for bodies corporate (section 66 of the Privacy Act).
    2.               The Bill creates an infringement notice provision in subsection 66(1) to supplement a new civil penalty provision which will provide an alternative to potential litigation of a civil matter. In accordance with subsection 104(2) of the Regulatory Powers Act, the amount to be stated in the infringement notice will be 12 penalty units for a person, and 60 penalty units for bodies corporate – which, on the current penalty unit value, leads to a maximum penalty of $2,664 for a person and $13,320 for bodies corporate. The civil penalty for the infringement notice provision will be 60 penalty units for a person, and 300 penalty units for bodies corporate – which, on the current penalty unit value, leads to a maximum civil penalty of $13,320 for individuals and $66,600 for bodies corporate.
    3.               The Bill also creates a separate criminal offence in subsection 66(1AA) if a body corporate engages in conduct which constitutes a system of conduct or pattern of behaviour. This would enable the Office of the Australian Information Commissioner (OAIC) to refer matters to the Commonwealth Director of Public Prosecutions for more serious, systemic conduct. The maximum penalty will be 300 penalty units for bodies corporate – which, on the current penalty unit value, leads to a maximum civil penalty of $66,600 for bodies corporate.
    4.               These new provisions are subject to the safeguard in subsection 66(1B), which provides a person cannot be penalised if they have a reasonable excuse.
    5.               These changes would encourage compliance, and enable the OAIC to effectively resolve privacy complaints and investigations faster, as investigations can be delayed due to the failure of parties to respond to requests for information. The infringement notice provision will provide an alternative to litigation of a civil matter. An infringement notice could be used in instances where a regulatory response is justified, but where it is preferable to attempt to resolve the matter outside of court in the first instance.
    6.               As noted above, the Privacy Act applies appropriate safeguards that exist in the Regulatory Powers Act that protect the rights expressed in Article 14. This includes:
    7.        The Bill designates the Commissioner and a senior member of the staff of the Commissioner as an infringement officer for the purposes of Part 5 of the Regulatory Powers Act. The infringement notice is subject to the safeguards provided in the Regulatory Powers Act, including that a notice must be issued within 12 months of when the contravention is alleged to have taken place and must outline the consequences of a failure to pay the amount payable under the notice.
    8.       Part 4 of the Regulatory Powers Act provides procedures and protections to ensure that entities will not be subject to both criminal and civil penalties for the same conduct.
    9.        The Privacy Act incorporates appropriate safeguards when determining the civil penalty to be imposed.
    10.               For these reasons, the level of civil and criminal penalties which apply under section 66 are a reasonable and proportionate response to the behaviours the penalties are intended to discourage.

Information sharing

Right to protection against arbitrary or unlawful interference with privacy

    1.               The Bill limits the right to privacy by expanding the Commissioner’s capacity to share information, including personal information, with an enforcement body, alternative complaint body, and a State, Territory or foreign privacy regulator.
    2.               The Bill also limits the right to privacy by expanding ACMA’s capacity to share information, including personal information, with any non-corporate Commonwealth entity responsible for enforcing a Commonwealth law where the information will enable or assist the entity to perform or exercise any of its functions or powers.  
    3.               The Commissioner is generally bound by a secrecy provision in the Australian Information Commissioner Act 2010 which limits the Commissioner’s discretion to share information. The existing provisions of the Privacy Act only provide a limited set of circumstances where the Commissioner can share information or documents with other authorities and other regulators. This significantly impacts the Commissioner’s ability to cooperate with enforcement bodies and other regulators.
    4.               The Bill will facilitate better cooperation between the Commissioner and ACMA, and other enforcement and regulatory authorities and entities.
    5.               The Commissioner’s information sharing power is subject to several limitations which ensure that it is reasonable, necessary and proportionate. These include that:
    6.        the Commissioner can only share information for the purposes of the Commissioner’s, or the receiving body’s, exercise of powers or performance of functions and duties
    7.       the information or documents must have been acquired by the Commissioner in the course of exercising powers, or performing functions or duties, under the Privacy Act
    8.        the Commissioner must also be satisfied on reasonable grounds that the receiving authority has satisfactory arrangements for maintaining security of the information or documents
    9.       where the Commissioner has obtained information or documents from an Australian Government agency, the Commissioner may only share those documents with an Australian Government agency, and
    10.        further, if the information is shared with a receiving body under this section, the receiving body may use the information only for the purposes for which it was shared.
    11.               Existing protections in section 59D of the Australian Communications and Media Authority Act 2005 will apply to ACMA’s new ability to share information, namely that the ACMA Chair must be satisfied that the information will enable or assist the entity to perform or exercise any of its functions or powers, and that the ACMA Chair may impose conditions to be complied with in relation to the authorised disclosure of information.
    12.               This limitation on the right to privacy is permissible as it is a reasonable, necessary and proportionate means of achieving a legitimate goal to improve cooperation between law enforcement and regulatory bodies, and is subject to safeguards.
    13.               The Bill also limits the right to privacy by empowering the Commissioner to disclose information acquired in the course of exercising powers, or performing functions and duties.
    14.               The disclosure power is subject to the Commissioner being satisfied on reasonable grounds that the disclosure is in the public interest, which ensures that it is reasonable, necessary and proportionate. To determine whether the disclosure is in the public interest specific regard must be given to: 
    15.        the rights, freedoms and legitimate interests of any person including the complainant or respondent
    16.       whether the disclosure could prejudice an investigation which is underway
    17.        whether the disclosure will or is likely to disclose the personal information of any person
    18.       whether the disclosure will or is likely to disclose confidential commercial information, and
    19.        whether the disclosure would be likely to prejudice enforcement related activities conducted by or on behalf of an enforcement body.
    20.               This limitation on the right to privacy is permissible as it is a reasonable, necessary and proportionate means of ensuring Australians are informed about instances where their privacy may have been compromised and are able to take measures to protect their personal information, and is subject to appropriate safeguards.

Conclusion

  1.               The Bill is compatible with human rights because it promotes the protection of human rights, particularly the right to privacy in Article 17 of the ICCPR. To the extent that it may limit human rights, those limitations are reasonable, necessary and proportionate to achieve the legitimate aims of the Bill and the Privacy Act.

NOTES ON CLAUSES

Preliminary

Clause 1 – Short title

    1.                    This clause provides for the short title of the Act to be the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 .

Clause 2 – Commencement

    1.                    This clause provides for the commencement of each provision in the Bill, as set out in the table. Item 1 in the table provides that the whole of this Act will come into effect on the day after the Act receives Royal Assent.

Clause 3 – Schedules

    1.                    Clause 3 provides that each Act specified in the Schedule is amended or repealed as set out in the Schedule. Clause 3 also provides that any other item in a Schedule of the Bill will have effect according to its terms.

GENERAL OUTLINE

    1.                    The Bill amends the Privacy Act 1988 (Privacy Act), the Australian Information Commissioner Act 2010 (AIC Act) and the Australian Communications and Media Authority Act 2005 (ACMA Act) to increase penalties under the Privacy Act, provide the Australian Information Commissioner (the Commissioner) with enhanced enforcement powers, and provide the Commissioner and the Australian Communications and Media Authority (ACMA) with greater information sharing powers.

Australian Communications and Media Authority Act 2005

Item 1 – Subsection 59D(1)

    1.                    This item will ensure the ACMA is able to disclose information to a non-corporate Commonwealth entity (within the meaning of the Public Governance, Performance and Accountability Act 2013 ) that is responsible for enforcing one or more laws of the Commonwealth.
    2.                    The amendment would ensure the ACMA is able to disclose information without needing to list an exhaustive list of agencies. The amendment is important because for many functions and powers that non-corporate Commonwealth entities are exercising, taking prompt action is critical to help ensure further harm is minimised or avoided. For example, prompt disclosure of information by the ACMA following a data breach could help ensure that financial crime and fraud does not occur.
    3.                    Disclosures are limited only to non-corporate Commonwealth entities, and not the full range of Commonwealth entities. This will ensure disclosures cannot be made to corporate Commonwealth entities that have a separate legal personality from the Commonwealth. This limitation is appropriate due to corporate Commonwealth entities being able to operate commercially with a degree of independence from the policies and direction of the Australian Government. Further, disclosure can only occur where the entity has a role enforcing a law of the Commonwealth. The ACMA Chair will be able to set conditions that must be adhered to by the receiving agency.
    1.                    The proposed amendment is consistent with paragraphs 59D(1)(l) and (o), which allow the ACMA to share information with a general class of agencies from the States and Territories, and regulators from foreign countries.

Australian Information Commissioner Act 2010

Item 2 – Section 25

    1.                    This item is a technical amendment to allow for the insertion of subsection 25(2), and to reflect that the Commissioner may only delegate specific functions or powers subject to the limitation in subsection 25(2).

Item 3 – Paragraphs 25(e), (g) and (h)

    1.                This item repeals paragraphs 25(e), (g) and (h). This purpose of this item is to allow the Commissioner to delegate the following functions or powers to a member of staff of the Office of the Australian Information Commissioner (OAIC) to ensure the OAIC’s workload can be managed effectively:
    2.        the function conferred by section 55K of the  Freedom of Information Act 1982  (FOI Act) (making a decision on an Information Commissioner review)
    3.       the function conferred by section 73 of the  FOI Act   (discretion not to investigate, or continue to investigate, an FOI complaint), and
    4.        the function conferred by section 86 of the  FOI Act   (obligation to notify on completion of FOI investigation).

Item 4 – Paragraph 25(k)

    1.                This item is a technical amendment to reflect that paragraph 25(k) is the final paragraph, due to paragraph 25(l) being repealed.

Item 5 – Paragraph 25(l)

    1.                This item repeals paragraph 25(l). This purpose of this item is to allow the Commissioner to delegate the following functions or powers to a member of staff of the OAIC:
    2.        making determinations for the purposes of  section 52  of the Privacy Act after completing a privacy investigation.

Item 6 – At the end of section 25

    1.                This item limits the Commissioner’s expanded delegation power in items 3 and 5 to Senior Executive Service (SES) employees, or acting SES employees. This safeguard reflects that decisions made under sections 55K, 73 and 86 of the FOI Act and section 52 of the Privacy Act are of significance, and as such should only be exercised by employees that have the relevant skills and expertise.

Item 7 – Paragraph 29(2)(a)

    1.                This item repeals paragraph 29(2)(a) and substitutes it with paragraphs 29(2)(a), (aa) and (ab). This item provides that the following scenarios will not be considered an unauthorised dealing with information, and therefore will not be subject to the offence provision under subsection 29(1):
    2.        If a person acquires information in the course of performing an information commissioner function or exercising a related power, and records, discloses or uses the information in the course of performing that same function or power (paragraph 29(2)(a)), or
    3.       If a person acquires information in the course of performing a freedom of information function or exercising a related power, and records, discloses or uses the information in the course of performing that same function or power (paragraph 29(2)(aa)), or
    4.        If a person acquires information in the course of performing a privacy function or exercising a related power, and records, discloses or uses the information in the course of performing that same function or power (paragraph 29(2)(ab)).
    5.                The purpose of this item is to clarify that the exception to section 29 applies to any uses of information for the same function (being either an information commissioner function, freedom of information function, or a privacy function) under the AIC Act for which it was collected. This would allow, for example, information from a Notifiable Data Breach statement to be used in a subsequent investigation into potential Australian Privacy Principle (APP) 11 breaches, as they both fall within the Commissioner’s privacy functions.

Item 8 – Paragraph 29(2)(aa)

    1.                This item is a technical amendment to re-letter paragraph 29(2)(aa) to paragraph 29(2)(ac), due to the insertion of the new paragraph 29(2)(aa) above. 

Privacy Act 1988

Item 9 – Paragraph 5B(3)(b)

    1.                This item is a technical amendment to reflect that paragraph 5B(3)(b) will be the final paragraph in subsection 5B(3), due to paragraph 5B(3)(c) being removed.

Item 10 – Paragraph 5B(3)(c)

    1.                This item will remove the requirement in paragraph 5B(3)(c) that an organisation or operator that is not described in subsection 5B(2) must collect or hold personal information in Australia or an external Territory either before or at the time of the act or practice in order to have an Australian link.
    2.                Currently, foreign organisations must meet obligations under the Privacy Act if the entity has an Australian link. A foreign organisation will have an Australian link if the organisation or operator carries on business in Australia and collects or holds information from a source inside Australia. However, when a breach of the Privacy Act occurs, it may be difficult to establish that these foreign organisations collect or hold personal information from a source in Australia. For example, foreign organisations may collect personal information about Australians but do not collect Australians’ information directly from Australia, and instead collect the information from a digital platform that does not have servers in Australia and may therefore not be considered ‘in Australia’.
    3.                The purpose of this item is to update the provision to reflect that in the digital era, organisations can use technology such that they do not collect or store information directly from Australia. However, these organisations will often still otherwise be carrying on a business in Australia, and should be required to meet the obligations under the Privacy Act.  
    4.                This mirrors similar provisions in the Australian Consumer Law (ACL). Subsection 5(1) of the Competition and Consumer Act 2010 extends the application of the relevant ACL provisions to conduct by Australian incorporated bodies or those carrying on business in Australia, and Australian citizens or people ordinarily resident within Australia.

Item 11 – Subsection 6(1)

    1.                This item inserts a definition for the term ‘alternative complaint body’, and sets out that it has the meaning given by subsection 50(1). The term alternative complaint body is used in new section 33A.
    2.                This item notes that ‘related body corporate’ has the meaning given to it by subsection 6(8), which states that f or the purposes of this Act, the question of whether bodies corporate are related to each other is determined in the manner in which that question is determined under the  Corporations Act 2001 .

Item 12 – Section 13G

    1.                This item is a technical amendment to allow for the insertion of subsection 13G(2).

Item 13 – Section 13G (penalty)

    1.                This repeals the penalty in section 13G.

Item 14 – At the end of section 13G

    1.                This item amends section 13G to increase the civil penalty for a serious or repeated interference with privacy. This will ensure penalties are adequate to protect Australians’ personal information, and promote effective deterrence.
    2.                 An entity will contravene this subsection if the entity does an act, or engages in a practice, that is a serious interference with the privacy of an individual, or the entity repeatedly does an act, or engages in a practice, that is an interference with the privacy of one or more individuals.
    3.                Subsection 13G(2) sets out the penalty for a serious or repeated interference with privacy by a person other than a body corporate. The item increases the penalty from 2,000 penalty units to $2.5 million.
    4.                Subsection 13G(3) sets out the penalty for a serious or repeated interference with privacy by a body corporate. The item increases the penalty from 10,000 penalty units to an amount not more than the greater of:
    5.        $50 million (paragraph 13G(3)(a));
    6.       three times the value of the benefit the body corporate and any related body corporate obtained from the conduct constituting the serious or repeated interference with privacy if the court can determine this value (paragraph 13G(3)(b)); or
    7.        30% of the adjusted turnover of the body corporate, during the breach turnover period for the contravention if the court cannot determine the value of the benefit under paragraph 13G(3)(b) (paragraph 13G(3)(c)).
    8.                Subsection 13G(4) sets out that subsection 13G(3) applies despite paragraph 82(5)(a) of the Regulatory Powers (Standard Provisions) Act 2014 (Regulatory Powers Act), which states that when determining a pecuniary penalty for a body corporate, the pecuniary penalty must not be more than 5 times the pecuniary penalty specified for the civil penalty provision. This is necessary to sufficiently deter breaches of privacy, particularly for large digital platforms, and ensuring that individuals are adequately protected. By strengthening penalties, Australia will be signalling its expectations that businesses undertake robust privacy and security practices.
    9.                Subsection 13G(5) sets out what the adjusted turnover of the body corporate will be for the purposes of determining a penalty under paragraph 13G(3)(c). The adjusted turnover will mean the sum of the value of all the supplies made by the body corporate or related bodies corporate in connection with Australia’s indirect tax zone. There are exceptions such as supplies made between related bodies corporate, supplies that are input taxed, supplies that are not for consideration and are not taxable, supplies that are not made in connection with the body corporate’s business, and supplies that are not connected with the indirect tax zone.
    10.                Subsection 13G(6) clarifies that any expressions used in subsection 13G(5) that are also used in the A New Tax System (Goods and Services Tax) Act 1999 have the same meaning as in that Act.
    11.                Subsection 13G(7) sets out what the breach turnover period will be for the purposes of determining a penalty under paragraph 13G(3)(c). The breach turnover period provides the formula for determining the period of time over which the adjusted turnover may be valued.
    12.                The breach turnover period will be the longer of either:
    13.        The period of contravention. This period will begin at the start of the month in which the contravention occurred, or began occurring. The period will end at the end of the month in which the body corporate ceased the contravention, or proceeding in relation to the contravention were instituted (whichever is earlier).
    14.       The 12-month period ending at the end of the month in which the body corporate ceased the contravention, or proceeding in relation to the contravention were instituted (whichever is earlier).
    15.                This will result in the minimum breach turnover period being at least 12 months. The purpose of the breach turnover period is to ensure the quantum of a penalty is linked to the economic impact of the body corporate’s conduct or to the damage caused by its conduct over the relevant period of time.

Item 15 – Subparagraphs 25(1)(a)(i) and 25A(1)(a)(i)

    1.                This item clarifies that compensation orders under section 25 and other orders to compensate loss or damage under section 25A can be ordered if a civil penalty order has been made under subsection 82(3) of the Regulatory Powers Act against the entity for a contravention of a civil penalty provision of Part IIIA of the Privacy Act (credit reporting). This is a technical amendment to ensure that the new civil penalty in item 38 is not captured.

Item 16 – At the end of section 26WA

    1.                This item updates the simplified outline of Part IIIC to include a summary of the Commissioner’s new powers to obtain information or documents in relation to actual or suspected eligible data breaches.

Item 17 – Paragraphs 26WK(3)(c) and 26WR(4)(c)

    1.                This item clarifies that when an entity must prepare a statement for the Commissioner following an eligible data breach under section 26WK or 26WR, the entity must include information about the particular kind or kinds of information as opposed to just the kind or kinds of information.
    2.                This is necessary to ensure the Commissioner has a comprehensive knowledge of the information compromised in an eligible data breach in order to assess the particular risk of harm to individuals, and whether the recommendations about the steps that individuals should take in response to the eligible data breach outlined in a notification are sufficient.

Item 18 – At the end of Part IIIC

    1.                This item adds in the new section 26WU, which provides the Commissioner with information gathering powers in relation to actual or suspected eligible data breaches.  
    2.                This is necessary to ensure the Commissioner has a comprehensive knowledge of the information compromised in an actual or suspected eligible data breach in order to assess the particular risk of harm to individuals. For example, additional information may assist the Commissioner in determining whether to issue a notification under section 26WR to direct an entity to notify the Commissioner and affected individuals about an eligible data breach.
    3.                Subsection 26WU(1) provides that section 26WU applies if the Commissioner has reason to believe that a person or entity has information or documents or can answer questions in relation to relevant matters, being an actual or suspected eligible data breach of an entity, or an entity’s compliance with notification requirements. Subsection 26WU(2) provides a list of non-exhaustive factors that the Commissioner may consider to be relevant matters. 
    4.                Subsection 26WU(3) provides that the Commissioner may, by written notice, require a person or entity to give information, produce a document or answer questions of a kind specified in the notice. Subsection 26WU(4) outlines the procedural requirements of the notice, being that the Commissioner must state the place and time which the information, document or answers must be provided. Note 1 in subsection 26WU(3) clarifies that section 66 contains the penalties for failure to give information.
    5.                Subsection 26WU(5) outlines how the Commissioner must handle documents produced. The Commissioner may take possession of and make copies of the documents, or take extracts from the documents. The Commissioner may retain the documents for any period that is necessary for assessing an entity’s compliance with the notification requirements, and during this time must permit a person who is entitled to inspect the documents.
    6.                Subsection 26WU(6) provides that the Commissioner must not exercise this power where the Attorney-General has furnished to the Commissioner a certificate under section 70 certifying that the giving to the Commissioner of information concerning a specified matter, or the production to the Commissioner of a specified document or other record, would be contrary to the public interest.
    7.                Subsection 26WU(7) ensures that if a person or entity complies with a notice, they will not be liable to a penalty under the provisions of any other Commonwealth law because they gave information, produced a document or answered a question.

Item 19 – Division 3 of Part IV (heading)

    1.                This item repeals the heading and substitutes it to read ‘Division 3 – Reports and information sharing by Commissioner’. This is to reflect the Commissioner’s new information sharing powers.

Item 20 – At the end of Division 3 of Part IV

Section 33A – Commissioner may share information with other authorities

    1.                Section 33A sets out the Commissioner’s power to share information (including personal information) or documents with a receiving body for the purpose of the Commissioner or the receiving body exercising powers, or performing functions or duties. The purpose of this section is to ensure the Commissioner is able to transfer a complaint to a receiving body, and also share information for the purposes of the Commissioner or the receiving body exercising their powers, or performing their functions and duties. This may occur when, for example, the Commissioner is holding information that relates to both an investigation under the Privacy Act, and under the receiving body’s framework. Section 33A is an authorisation by law for the purposes of APP 6.2(b).
    2.                Subsection 33A(2) sets out that an enforcement body (as defined in subsection 6(1)), an alternative complaint body (as defined in subsection 50(1)), a State or Territory authority or an authority of the government of a foreign country that has privacy functions will be a receiving body, and can therefore receive information and documents under subsection 33A(1).
    3.                The Commissioner’s ability to share information is subject to the safeguards in subsections 33A(3) to (5). 
    4.                Subsection 33A(3) provides that the Commissioner may only share information or documents with a receiving body if the information or documents were acquired by the Commissioner in the course of exercising powers, or performing functions or duties under the Privacy Act, and the Commissioner is satisfied on reasonable grounds that the receiving body has satisfactory arrangements in place for protecting the information or documents. This safeguard is based on the information sharing arrangements in Part VIIIA.
    5.                Subsection 33A(4) provides that if the Commissioner acquired the information or documents from an agency, the Commissioner may only share the information or documents with a receiving body under this section if the receiving body is an agency. The term ‘agency’ is defined in subsection 6(1). The purpose of this section is to ensure that where information or documents are obtained from an Australian Government agency, the Commissioner would only be able to share those documents with another Australian Government agency (and not a State or Territory authority, or foreign body).
    6.                Subsection 33A(5) provides that the receiving body may only use the information for the purposes for which it was shared. The purpose of this provision is to clarify that a receiving body must only use information shared under subsection 33A(1) to the extent that they are a receiving body and only for the purposes of exercising powers, performing functions or duties as that receiving body.
    7.                Subsection 33A(6) makes it clear that the Commissioner is not required to transfer a complaint or part of a complaint to share information or documents with a receiving body.

Section 33B – Commissioner may disclose certain information if in the public interest

    1.                Subsection 33B(1) sets out the Commissioner’s power to disclose certain information (including personal information) acquired in the course of the Commissioner exercising powers or performing functions or duties under the Privacy Act if the Commissioner is satisfied the disclosure is in the public interest. The purpose of subsection 33B(1) is to empower the Commissioner to disclose or publish information relating to privacy and personal information, for example information about an ongoing investigation on the OAIC’s website. This will ensure Australians are informed about privacy issues and to reassure the community that the OAIC is discharging its duties. Section 33B is an authorisation by law for the purposes of APP 6.2(b).
    2.                Paragraph 33B(2)(a) sets out that, when determining whether a disclosure is in the public interest, the Commissioner must have regard to the rights and interests of any complainant or respondent; whether the disclosure will or is likely to prejudice any investigation the Commissioner is undertaking; whether the disclosure will or is likely to disclose the personal information of any person; whether the disclosure will or is likely to disclose any confidential commercial information; and whether the Commissioner reasonably believes that the disclosure would be likely to prejudice one or more enforcement related activities conducted by or on behalf of an enforcement body.
    3.                Paragraph 33B(2)(b) sets out that the Commissioner may also have regard to any other matter the Commissioner considers relevant when determining if a disclosure is in the public interest. For example, the Commissioner may have regard to any consultation with affected entities, and any actions affected entities have taken (such as where the entity has already notified individuals).
    4.                Subsection 33B(3) clarifies that section 33B does not limit the Commissioner’s other powers to disclose information.

Item 21 – After paragraph 33C(1)(c)

    1.                Paragraph 33C(1)(ca) sets out that the Commissioner may conduct an assessment relating to the ability of an entity subject to Part IIIC (Notification of eligible data breaches) to comply with that Part. This includes the extent to which the entity has processes and procedures in place to assess suspected eligible data breaches and provide notice of eligible data breaches to the Commissioner and to individuals at risk from such breaches. Under subsection 33C(2), the Commissioner may conduct an assessment in such manner as the Commissioner considers fit.
    2.                The purpose of paragraph 33C(1)(ca) is to expand the Commissioner’s power to assess an entity’s compliance with the Privacy Act to include Part IIIC. Assessments are an important educative tool, and allow the Commissioner to assess compliance in the absence of a breach of the Privacy Act or a complaint having been made.

Item 22 – At the end of section 33C

    1.                To assist the Commissioner to conduct assessments, this item will give the Commissioner a new information gathering power for the purposes of conducting an assessment of any kind.
    2.                Subsection 33C(3) provides that the Commissioner may, by written notice, require an entity or file number recipient to produce information or a document that is relevant to the Commissioner undertaking an assessment of that entity or file number recipient under section 33C. Subsection 33C(4) outlines the procedural requirements of the notice, being that the information or document must be produced within the period specified in the written notice, which must not be less than 14 days after the notice is given to the entity or file number recipient. Note 1 in subsection 33C(3) clarifies that section 66 contains the penalties for failure to give information.
    3.                The purpose of subsection 33C(3) is to ensure entities cooperate with an assessment by providing the relevant information and documents the Commissioner needs to undertake an assessment. This will ensure that assessments are thorough, and not limited to information that is publicly available.
    4.                Subsections 33C(4) to (5) contain safeguards to the Commissioner’s power to give a notice under subsection 33C(3). Subsection 33C(4) sets out that the Commissioner must not give a notice unless the Commissioner is satisfied that it is reasonable in the circumstances to do so, having regard to the public interest, the impact on the entity or file number recipient of complying with the notice, and any other matters the Commissioner considers relevant. Subsection 33C(5) sets out that an enforcement body (as defined in subsection 6(1)) is not required to comply with a notice if the chief executive officer of the enforcement body believes on reasonable grounds that compliance with the notice would be likely to prejudice one or more enforcement related activities conducted by or on behalf of the enforcement body.
    5.                Subsection 33C(6) provides that the Commissioner must not exercise this power where the Attorney-General has furnished to the Commissioner a certificate under section 70 certifying that the giving to the Commissioner of information concerning a specified matter, or the production to the Commissioner of a specified document or other record, would be contrary to the public interest.
    6.                Subsection 33C(7) ensures that if a person or entity complies with a notice, they will not be liable to a penalty under the provisions of any other Commonwealth law because they gave information, produced a document or answered a question.
    7.                Subsection 33C(8) empowers the Commissioner to publish information relating to an assessment on the Commissioner’s website. Subsection 33C(8) is an authorisation by law for the purposes of APP 6.2(b). The purpose of this item is to ensure Australians are informed about the Commissioner’s assessments, and are aware of emerging privacy issues.

Item 23 – At the end of subsection 44(1)

    1.                This item adds Note 1 in subsection 44(1) which clarifies that section 66 contains the penalties for failure to give information.

Item 24 – At the end of subsection 46(4)

    1.                This item adds Note 1 in subsection 44(1) which clarifies that section 66 contains the penalties for failure to give information.

Item 25 – At the end of subsection 47(1)

    1.                This item adds Note 1 in subsection 47(1) which clarifies that section 66 contains the penalties for failure to give information.

Item 26 – Subsection 50(1)

    1.                This item repeals the reference to ‘section’ and substitutes it with ‘Act’ to reflect the reference to other authorities in multiple sections within the Privacy Act.

Item 27 – Subsection 50(1) (after paragraph (b) of the definition of alternative complaint body )

    1.                This item lists the eSafety Commissioner as an alternative complaint body. This is to ensure the Commissioner is able to transfer complaints and share information with the eSafety Commissioner where permitted under the Act. For example, in the event of overlap between privacy complaints and complaints concerning cyberbullying, cyber abuse and image-based abuse.

Item 28 – Subsection 50(1) (definition of Ombudsman)

    1.                This item repeals the definition of ombudsman in subsection 50(1), as it is already defined in subsection 6(1).

Item 29 – After subparagraph 52(1)(b)(ii)

    1.                Subparagraph 52(1)(b)(iia) sets out that after investigating a complaint, the Commissioner may find the complaint substantiated and make a determination that includes a declaration that the respondent must prepare and publish, or otherwise communicate, a statement about the conduct (see section 52A).

Item 30 – After paragraph 52(1A)(b)

    1.                Paragraph 52(1A)(ba) sets out that after investigating  an act or practice of a person or entity under subsection 40(2) , the Commissioner may make a determination that includes a declaration that the respondent must prepare and publish, or otherwise communicate, a statement about the conduct (see section 52A).

Item 31 – After subsection 52(1A)

    1.                Subsection 52(1AAA) complements the Commissioner’s power in subparagraph 52(1)(b)(ia) and paragraph 52(1A)(b) to make a determination that includes a declaration that a respondent must take specified steps to ensure conduct, or an act or practice, constituting an interference with the privacy of an individual is not repeated or continued.
    2.                Subsection 52(1AAA) provides that the steps specified by the Commissioner may include a requirement for the respondent to engage, in consultation with the Commissioner, a suitably independent and qualified adviser to assist this process. For example, the adviser may review any relevant business practices or processes that contributed to the non-compliance, or the remediation of the non-compliance. This will help ensure respondents understand what led to the non-compliance, and how to improve practices.
    3.                The adviser is to review the acts or practices engaged in by the respondent that were the subject of the complaint, the steps (if any) taken by the respondent to ensure that the conduct referred to in the determination is not repeated or continued, and any other matter specified in the declaration that is relevant to those acts or practices, or that complaint (paragraph 52(1AAA)(a)).
    4.                The Commissioner may include a requirement for the respondent to provide a copy of the review to the Commissioner (paragraph 52(1AAA)(b)).

Item 32 – After subsection 52(5)

    1.                This item clarifies that the Commissioner has the power to publish a determination made under section 52, which represents a final finding, on the OAIC website. The purpose of this item is to ensure information about the Commissioner’s determinations is publicly available, and the Australian community is aware of emerging privacy issues.

Item 33 – After section 52

    1.                This item inserts section 52A, which sets out the requirements and processes if the Commissioner makes a determination under section 52 which includes a declaration mentioned in subparagraph 52(1)(b)(iia) or paragraph 52(1A)(ba) that the respondent must prepare a statement, in consultation with the Commissioner, about the conduct that constituted the interference with the privacy of an individual.
    2.                Subsection 52A(1) sets out that the respondent must within 14 days (or such longer period as the Commissioner allows) prepare the statement , and, if required by the declaration, make the statement publicly available. The purpose of this item is to ensure that individuals are fully notified and aware of entities that have contravened the Privacy Act, in particular individuals who have been affected by the contravention.
    3.                Paragraph 52A(1)(a) sets out the requirements of the statement. The statement must set out the identity and contact details of the respondent or the agency (if the respondent is the principal executive of an agency), a description of the conduct engaged in by the respondent that constitutes the interference with the privacy of an individual, the steps (if any) undertaken or to be undertaken by the respondent to ensure the conduct is not repeated or continued, and any other information required by the declaration to be included in the statement.
    4.                Paragraph 52A(1)(b) sets out that, if required by the declaration, the respondent must give a copy of the statement to the complainant or, if the complaint is a representative complaint, to each class member identified as affected by the determination, in the manner specified by the declaration. Paragraph 52A(1)(c) sets out that, if required by the declaration, the respondent must publish, or otherwise communicate, the statement in the manner specified by the declaration (for example, on the respondent’s website). Paragraph 52A(1)(d) sets out that the respondent will be required to provide the Commissioner with evidence, within 14 days after the end of the period specified in the declaration, that the actions required by paragraphs (b) and (c) have been undertaken.
    5.                Subsection 52A(2) contains a safeguard to the Commissioner’s power to require the respondent to prepare and publish, or otherwise communicate, a statement. Subsection 52A(2) provides that the matters specified by the Commissioner regarding the preparation and publication or communication of the statement must be reasonable and appropriate, for example the Commissioner may consider the size of the entity, the scale of the contravention and the number of individuals affected.

Item 34 – Division 3 of Part V (heading)

    1.                This item clarifies that the heading for Division 3 of Part V relates to enforcement of determinations only.

Item 35 – At the end of section 55

    1.                Paragraph 55(d) sets out that if a determination made under section 52 applies in relation to an organisation or small business operator, the organisation or operator must prepare and publish, or otherwise communicate, a statement in accordance with a declaration included in the determination under subparagraph 52(1)(b)(iia), or paragraph 52(1A)(ba) and section 52A.

Item 36 – At the end of section 58

    1.                Paragraph 58(d) sets out that if a determination made under section 52 applies in relation to an agency, the agency must prepare and publish, or otherwise communicate, a statement in accordance with a declaration included in the determination under subparagraph 52(1)(b)(iia), or paragraph 52(1A)(ba) and section 52A.

Item 37 – At the end of section 59

    1.                Paragraph 59(d) sets out that if a determination made under section 52 applies in relation to the principal executive of an agency, the principal executive must prepare and publish, or otherwise communicate, a statement in accordance with a declaration included in the determination under subparagraph 52(1)(b)(iia), or paragraph 52(1A)(ba) and section 52A.

Item 38 – Subsection 66(1)

    1.                This item repeals the criminal penalty in subsection 66(1) for failure to give information, answer a question or produce a document or record when required to do so under the Privacy Act, and substitutes it with a civil penalty for a basic contravention where a person is required to give information, answer a question or produce a document or record under the Act and refuses or fails to do so – for example, under section 44 or subsections 33C(3), 46(4) or 47(1). The penalty is 60 penalty units for a person, and therefore 300 penalty units for a body corporate (applying the multiplier in subsection 82(5) of the Regulatory Powers Act).
    2.                The purpose of converting subsection 66(1) from a criminal offence to a civil penalty provision is to allow the Commissioner to issue a civil penalty or an infringement notice for minor instances of non-compliance without having to resort to the prosecution of a criminal offence. Infringement notices will provide the Commissioner with a timely, cost-efficient enforcement outcome in relation to minor contraventions of section 66. The infringement notice provision will provide an alternative to litigation of a civil matter. This will enable the Commissioner to resolve privacy complaints and investigations more efficiently.
  1.                The supplementary infringement notice section is set out in item 44 (section 80UB).
    1.                Subsection 66(1) is subject to the safeguard in subsection 66(1B), which provides that subsection 66(1) does not apply if the person has a reasonable excuse, as outlined in subsection 66(3).
    2.                A separate criminal offence is set out in subsection 66(1AA) when a body corporate engages in multiple instances of non-compliance that constitute a system of conduct or a pattern of behaviour.

Item 39 – After subsection 66(1)

    1.                Subsection 66(1AA) sets out that a person will commit an offence if the person is a corporation and has engaged in conduct that constitutes a system of conduct or a pattern of behaviour, and the system of conduct or pattern of behaviour results in 2 or more contraventions of subsection 66(1). The penalty for the offence is 300 penalty units. Although this matches the civil penalty units for a basic contravention under subsection 66(1) by a body corporate, conduct regarded as criminal carries a greater stigma and this reflects the more serious nature of an offence under subsection 66(1AA). The purpose of subsection 66(1AA) is to enable the OAIC to refer matters to the Commonwealth Director of Public Prosecutions involving more serious, systemic conduct.
    2.                Subsection 66(1AA) is subject to the safeguard in subsection 66(1B), which provides that subsection 66(1) does not apply if the person has a reasonable excuse, as outlined in subsection 66(3).

Item 40 – Subsection 66(1B)

    1.                This item provides that subsection 66(1AA) will not apply if the person has a reasonable excuse, as outlined in subsection 66(3).

Item 41 – Subsection 66(1B) (note)

    1.                This item repeals the note in subsection 66(1B) and substitutes it with a note that states that if a person relies on subsection 66(1B), which provides that subsection 66(1) does not apply if the person has a reasonable excuse, the person bears the evidential burden. The details of the evidential burden are contained in subsection 13.3(3) of the Criminal Code Act 1995 for a criminal penalty, and section 96 of the Regulatory Powers Act for a civil penalty provision.

Item 42 – Paragraph 67(b)

    1.                This item clarifies that civil proceedings do not lie against a person in respect of loss, damage or injury of any kind suffered by another person because they made a statement, or gave a document or information, to the Commissioner. The item removes the caveat ‘whether or not pursuant to a requirement under section 44’ to reflect amendments in this Bill, including the Commissioner’s new information gathering powers in relation to actual or suspected eligible data breaches in section 26WU.

Item 43 – Subsection 70(1)

    1.            Subsection 70(1) currently provides that if the Attorney-General issues a certificate in limited circumstances, the Commissioner cannot require a person to give particular information or produce a document or record to the Commissioner. This item clarifies that subsection 70(1) applies when the Commissioner is exercising a power to require information, document or records under the Privacy Act. For example, it would apply to the new information gathering powers in item 18.

Item 44 – After Division 1 of Part VIB

    1.            This item inserts the heading Division 1A – Infringement notices.
    2.            Subsection 80UB(1) provides that the basic contravention for failing to provide information, answer a question or produce a document or record, can be subject to an infringement notice under Part 5 of the Regulatory Powers Act.  
    3.            The purpose of subsection 80UB(1) is to allow an infringement officer to issue an infringement notice instead of seeking a civil penalty for contraventions of subsection 66(1) where a person is required to give information, answer a question, produce a document or record, and the person refuses or fails to do so. This will enable the OAIC to resolve matters more efficiently.
    4.            Subsection 80UB(2) provides that the Commissioner and a member of the staff of the Commissioner who holds, or is acting in, an office or position that is equivalent to an SES employee will be an infringement officer for the purposes of exercising powers under Part 5 of the Regulatory Powers Act. Subsection 80UB(3) sets out that the Commissioner is the relevant chief executive for the purposes of exercising powers under Part 5 of the Regulatory Powers Act.
    5.            Subsection 80UB(4) makes it clear that Part 5 of the Regulatory Powers Act extends to every external Territory of Australia.
    6.            In accordance with subsection 104(2) of the Regulatory Powers Act, the amount to be stated in the infringement notice will be 12 penalty units for a person, and 60 penalty units for bodies corporate.

Item 45 – Application of amendments

    1.            This item provides the arrangements for how amendments made by Schedule 1 are to be applied.
    2.            The ACMA will be able to disclose authorised information under subsection 59D(1) of the ACMA Act regardless of whether the information was acquired by the ACMA prior to commencement of this item.
    3.            The clarification to section 29(2) of the AIC Act applies in relation to information acquired before or after the commencement of this item.
    4.            The increased penalties under section 13G do not apply in relation to an act done, or a practice engaged in, before the commencement of this item.
    5.            The requirement for eligible data breach statements to include information about ‘particular’ kinds of information under paragraphs 26WK(3)(c) and 26WR(4)(c) will only apply in relation to statements prepared after the commencement of this item.
    6.            The Commissioner will be able to give a notice to an entity or person under section 26WU to give information, produce a document or answer questions of a kind specified in the notice regardless of when the actual or suspected eligible data breach occurred or may have occurred.
    7.            The Commissioner will be able to disclose information or documents under section 33A regardless of whether the information or documents were obtained prior to commencement of this item.
    8.            The Commissioner will be able to disclose information under section 33B regardless of whether the information was obtained prior to commencement of this item.
    9.            The Commissioner will be able to give a notice to an entity under section 33C to produce information or documents in relation to an assessment only if the assessment has not yet been started, or has not yet concluded.
    10.            The Commissioner will be able to make a determination that includes the expanded declaration powers in section 52 if the investigation has not yet been started, or has not yet concluded.
    11.            The Commissioner will be able to publish a determination made under section 52, regardless of when the determination was made.

(1)       Subsection 59D(1) of the Australian Communications and Media Authority Act 2005 , as amended by this Schedule, applies in relation to authorised disclosure information acquired by the ACMA before or after the commencement of this item.

(2)       Subsection 29(2) of the Australian Information Commissioner Act 2010 , as amended by this Schedule, applies in relation to information acquired before or after the commencement of this item.

(3)       Section 13G of the Privacy Act 1988 , as amended by this Schedule, does not apply in relation to an act done, or a practice engaged in, before the commencement of this item.

(4)       Paragraphs 26WK(3)(c) and 26WR(4)(c) of the Privacy Act 1988 , as amended by this Schedule, apply in relation to statements prepared after the commencement of this item.

(5)       A notice may be given under section 26WU of the Privacy Act 1988 , as added by this Schedule, in relation to an actual or suspected eligible data breach that occurred, or may have occurred, before or after the commencement of this item.

(6)       Section 33A of the Privacy Act 1988 , as added by this Schedule, applies in relation to the sharing of information or documents after the commencement of this item, whether the information or documents were obtained by the Commissioner before or after that commencement.

(7)       Section 33B of the Privacy Act 1988 , as added by this Schedule, applies in relation to the disclosure of information after the commencement of this item, whether the information was obtained by the Commissioner before or after that commencement.

(8)       Section 33C of the Privacy Act 1988 , as amended by this Schedule, applies in relation to:

                     (a)  assessments started before the commencement of this item but not concluded at that commencement; and

                     (b)  assessments started after that commencement.

(9)       Section 52 of the Privacy Act 1988 , as amended by this Schedule, applies in relation to:

                     (a)  the investigation of complaints that started before the commencement of this item but not finally dealt with at that commencement; and

                     (b)  the investigation of complaints that started after that commencement.

(10)     Subsection 52(5A) of the Privacy Act 1988 , as inserted by this Schedule, applies in relation to determinations made by the Commissioner before or after the commencement of this item.

Leave a Reply





Verified by MonsterInsights