The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 passes the Senate. An improvement but more legislative work is required.
November 29, 2022 |
Yesterday the Australian Senate passed the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022. The Bill was introduced and read for the first time on 26 October 2022. The second reading debate occured on 8 November 2022 and passed the House of Representatives on 9 November 2022.
This Act has always been described as an interim measure. An immediate response to the Optus and Medibank data breaches which highlighted the inadequacy of the data breach notification regime. More significant reforms are promised for next year. It does not address the flaws in the Privacy Act.
Key aspects of the Act are:
- an increase of the maximum penalty for serious or repeated interferences with privacy for body corporates from $2.2 million to the greater of:
- $50 million,
- three times the value of the benefit obtained attributable to the breach or,
- if the court cannot determine the value of the benefit, 30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention.
These penalties mirror the recent increased penalties introduced for breaches of Australian Consumer Law (“ACL”). The definition of ‘adjusted turnover’is similar to that introduced into the ACL and takes into account the sum of the values of all the supplies that the body corporate and any related body corporate have made or are likely to make during the period. How long the ‘breach turnover period’ might be could be a very significant issue. It could be some time where an issue is unknown and there is late detection.
- greater information gathering powers by the Information Commissioner regarding data breaches including:
- a power to share information publicly if it is in the public interest to do so with a broader range of entities. Those bodies include enforcement bodies (both in Australia and overseas), alternative complaint bodies and state and territory authorities.
- a broader power to make declarations following the conclusion of an investigation including requiring the organisation to:
- prepare and publish or otherwise communicate a statement about the conduct; and
- engage with a suitably qualified independent advisor to review practices, steps taken to remediate the breach and any other matter relevant to the investigation.
This is a step towards the process the Federal Trade Commission has put in place for many years..
-
- conducting an assessment of an organisation’s compliance with the NDB Scheme, including the extent to which it has processes and procedures in place to assess suspected eligible data breaches and provide notice of eligible data breaches. This is a worthwhile amendment.
- issuing an infringement notice for failures to provide information as required by the Act.
- organisations that carry on business in Australia are now regulated under the Privacy Act, even if they do not collect or hold information in Australia. The aim is to regulate organisations which carry on business in Australia, but do not themselves collect or hold personal information in Australia. The Act will now apply to all acts done or practices engaged in by overseas entities which carry on business in Australia, irrespective of whether the acts or practices relate to individuals located in Australia. For organisations with a globarl operation compliance will apply to the entire global operation .
What constitutes either a ‘serious’ or ‘repeated’ interference still remains vague and unsatisfactory.
The Greens successfully proposed an amendment which will now become section 13GA which provides:
An entity contravenes this subsection if the entity does an act, or engages in a practice, that is an interference with the privacy of one or more individuals.
Civil penalty: 2,000 penalty units
This provision makes it easier to take action than under section 13G which refers to either a serious inteference with privacy, whatever that means, or repeated interferences with privacy. Hopefully these provisions will be consolidated in the broader revision of the Act.
The amendments do not affect the opeation of hte Data Breach Notification Regime. Not all data breaches are covered. It remains the case that if an organisation suffers a data breach it may not need to provide notification of that data breach. The issue remains whether it has or has not taken reasonable steps in the circumstances to secure personal information. To that extent the amendments may not change much.
All of these amendments mean nothing if the Information Commissioner does nohting with them. The Commissioner has been a timid regulator. Whether that continues in light of the focus on privacy is the question.
The Bill digest provides:
Purpose
The purpose of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Bill) is to:
• increase penalties for serious or repeated interferences with privacy under the Privacy Act 1988
• provide the Australian Information Commissioner (the Commissioner) with greater enforcement and information sharing powers under the Privacy Act and the Australian Information Commissioner Act 2010 (AIC Act)
• provide the Australian Communications and Media Authority (ACMA) with greater information sharing powers under the Australian Communications and Media Authority Act 2005 (ACMA Act).
Background
Recent data breaches, especially the Optus data breach, affecting numerous Australians have prompted a series of immediate actions by the Australian Government, including the introduction of the Bill.
The Bill is a result of the Australian Government expediting some aspects of the ongoing Privacy Act review conducted by the Attorney-General’s Department. The Bill also includes provisions similar to various elements of the Exposure Draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill Exposure Draft) released for discussion and consultation by the previous Government.
Key issues and provisions
• The Bill increases the maximum civil penalty for serious or repeated interferences with privacy from the current $2.22 million to an amount that is the greater of $50 million, three times the value of any benefit obtained from the conduct constituting the serious or repeated interference with privacy, or 30% of an entity’s adjusted turnover in the relevant period.
• The Bill falls short of amending the ‘serious or repeated interference with privacy’ threshold that triggers the civil penalty provision in section 13G of the Privacy Act, as proposed by submitters to the Privacy Act review.
• For the increased penalty regime to have a real and sufficient deterrent effect, it cannot rely solely on the perceived deterrent effect of the penalty quantum. It will need to be matched by further reforms to the broader enforcement framework for interferences with privacy under the Privacy Act. The Office of the Australian Information Commissioner’s (OAIC) privacy functions relevant to proactive investigation and enforcement activity will also need to be adequately resourced.
• The Bill lowers the threshold for a foreign organisation to be covered by the Privacy Act.
• The Bill provides enhanced enforcement and information sharing powers for the Commissioner and the OAIC, which may attract opposition from regulated entities who have expressed concerns on largely similar amendments in the Online Privacy Bill Exposure Draft.
Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.
Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 5
Purpose of the Bill
The purpose of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Bill) is to:
• increase penalties for serious or repeated interferences with privacy under the Privacy Act 1988
• provide the Australian Information Commissioner (the Commissioner) with greater enforcement and information sharing powers under the Privacy Act and the Australian Information Commissioner Act 2010 (AIC Act)
• provide the Australian Communications and Media Authority (ACMA) with greater information sharing powers under the Australian Communications and Media Authority Act 2005 (ACMA Act).
Background
Recent data breaches
September–October 2022 saw various high-profile and large-scale data breaches affecting Australia. Data breaches involving Optus, Medibank Private, MyDeal and others have resulted in the personal information about millions of Australians being compromised. These data breaches may have direct and long-lasting impacts on affected Australians, including financial harm through identity theft or fraud, psychological harm and reputational harm.
The recent Optus data breach has been singled out as the largest data breach in Australia’s history due to the sheer number of affected Australians and the extensive kinds of personal information involved. With nearly 10 million affected Australian customers,3 Optus has advised that the data breach may have exposed its ‘customers’ names, dates of birth, phone numbers, email addresses, and, for a subset of customers, addresses, ID document numbers such as driver’s licence or passport numbers’, as well as Medicare card numbers for a subset of customers.
The Optus data breach has prompted a series of immediate actions by the Australian Government, including:
• coordinated investigations into issues arising from the data breach by the Office of the Australian Information Commissioner (OAIC) and the ACMA
• intelligence and law enforcement agencies with cyber security capabilities across the Australian Government ‘working round the clock to respond to this breach’5
• amendments to the Telecommunications Regulations 2021 through the Telecommunications Amendment (Disclosure of Information for the Purpose of Cyber Security) Regulations 2022 to allow telecommunications companies, including Optus, to temporarily share approved government identifier information (such as driver’s licence, Medicare and passport numbers of affected customers) with regulated financial services entities to allow them to implement enhanced monitoring and safeguards for customers affected by the data breach6
• introduction of the present Bill.
Privacy Act review
In light of the Optus data breach, Attorney-General Mark Dreyfus has criticised the ‘very outdated piece of legislation in the Privacy Act’ and undertaken to have the ongoing review of the Privacy Act finalised by his department by the end of 2022.7
In December 2019, the Morrison Government announced that it would conduct a review of the Privacy Act as part of its response to the Australian Competition and Consumer Commission’s (ACCC) Digital Platforms Inquiry.8 The Privacy Act review was opened for public consultation and submissions on its issues paper published in October 2020 and discussion paper published in October 2021.
The review covers areas including:
• the scope and application of the Privacy Act
• whether the Privacy Act effectively protects personal information and provides a practical and proportionate framework for promoting good privacy practices
• whether individuals should have direct rights of action to enforce privacy obligations under the Privacy Act
• whether a statutory tort for serious invasions of privacy should be introduced into Australian law
• the impact of the Notifiable Data Breaches (NDB) scheme and its effectiveness in meeting its objectives
• the effectiveness of enforcement powers and mechanisms under the Privacy Act and how they interact with other Commonwealth regulatory frameworks
• the desirability and feasibility of an independent certification scheme to monitor and demonstrate compliance with Australian privacy laws.9
Despite the progress of the review, on 12 October 2022, Attorney-General Mark Dreyfus stated that the Government was considering expediting ‘some urgent reforms that [they] can make quickly to the Privacy Act’ in response to the Optus data breach. The result of this expedition is the present Bill. According to the Attorney-General, the Bill is ‘in addition to’ the Privacy Act review ‘with recommendations expected for further reform’.
Online Privacy Bill Exposure Draft
The Morrison Government also announced a parallel reform separate to the Privacy Act review – the proposed introduction of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill). The Online Privacy Bill aimed to address the pressing privacy challenges posed by social media and other online platforms.
In October 2021, the Attorney-General’s Department (AGD) released an Exposure Draft of, an explanatory paper to and a regulatory impact statement on the Online Privacy Bill for public consultation (which was closed in December 2021). However, the Online Privacy Bill was never formally introduced by the Morrison Government during the 46th Parliament. This Bill contains various elements of the Online Privacy Bill, as discussed below.
Committee consideration
Senate Legal and Constitutional Affairs Committee
The Bill has been referred to the Senate Legal and Constitutional Affairs Committee for inquiry and report by 22 November 2022.
Senate Standing Committee for the Scrutiny of Bills
At the time of writing, the Senate Standing Committee for the Scrutiny of Bills had not reported on the Bill.
Policy position of non-government parties/independents
The Australian Greens described the Bill as ‘a step forward’ but expressed its concern that ‘[i]t’s not much use beefing up the Information Commissioner’s powers if they don’t get matching funding so they can actually use those powers.’
At the time of writing, other non-government parties and the independents do not appear to have commented publicly on the Bill.
Position of major interest groups
Major interest groups, especially entities covered by the Privacy Act, have previously provided submissions on the Online Privacy Bill Exposure Draft, which, as already noted, contained some amendments that are equivalent to those in the present Bill. The proposed amendments relating to the Commissioner’s enforcement and information gathering powers in the Exposure Draft were met with opposition from some of those entities, as discussed below.
Financial implications
The Explanatory Memorandum to the Bill states that the Bill may increase Commonwealth revenue due to increased penalties, depending on the number and quantum of successful civil penalty orders sought by the Commissioner.
Statement of Compatibility with Human Rights
As required under Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011, the Government has assessed the Bill’s compatibility with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of that Act. The Government considers that the Bill is compatible.
Key issues and provisions
Increased penalties for serious and repeated interferences with privacy
Currently section 13G of the Privacy Act gives rise to a civil penalty if:
• an entity does an act, or engages in a practice, that is a serious interference with the privacy of an individual
• an entity repeatedly does an act, or engages in a practice, that is an interference with the privacy of one or more individuals.
Item 14 of the Bill inserts proposed subsection 13G(3) into the Privacy Act to set out the penalty for a serious or repeated interference with privacy by a body corporate. This increases the maximum civil penalty from 10,000 penalty units, which currently equate to $2.22 million,14 to an amount that is the greater of:
• $50 million (proposed paragraph 13G(3)(a))
• 3 times the value of the benefit the body corporate and any related body corporate obtained from the conduct constituting the serious or repeated interference with privacy if the court can determine this value (proposed paragraph 13G(3)(b))
• 30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention if the court cannot determine the value of the benefit under paragraph 13G(3)(b) (proposed paragraph 13G(3)(c)).
Proposed subsection 13G(2) of the Privacy Act sets out the penalty for a serious or repeated interference with privacy by a person other than a body corporate (such as a sole trader or a partnership). This increases the penalty from a maximum of 2,000 penalty units, which currently equate to $444,000, to a maximum of $2.5 million.
The ‘serious or repeated interference with privacy’ threshold
An ‘interference with privacy’ is defined in section 13 of the Privacy Act, and is a breach of the Privacy Act or of a privacy-related provision in certain other legislation. However, the phrases ‘serious interference with privacy’ and ‘repeated interference with privacy’ are not defined in the Privacy Act and there have been no decided cases under this provision. At the time of introduction of these terms, the relevant Explanatory Memorandum stated that the ordinary meaning of the terms ‘serious’ and ‘repeated’ would apply. The Bill does not propose any change to this threshold.
In its Guide to privacy regulatory action, which is merely an administrative guidance, the OAIC states that the question of whether an interference with privacy is serious is an objective one that will reflect the opinion of a reasonable person. It provides a list of factors that it considers ‘are relevant in considering whether a particular interference with privacy is serious’:
• the number of individuals potentially affected
• whether it involved ‘sensitive information’ or other information of a sensitive nature
• whether significant adverse consequences were caused or are likely to be caused to one or more individuals from the interference
• whether vulnerable or disadvantaged people may have been or may be particularly adversely affected or targeted
• whether it involved deliberate or reckless conduct
• whether senior or experienced personnel were responsible for the conduct.
The OAIC also administratively defines ‘repeated interference with privacy’ to mean that an entity has interfered with the privacy of an individual or individuals on two or more separate occasions, which could arise from:
• the same act or practice done on two or more occasions
• different acts or practices done on two or more occasions.
A proposal in the ongoing Privacy Act review is to clarify what constitutes a ‘serious’ or ‘repeated’ interference with privacy. In its October 2021 Privacy Act review – discussion paper, AGD acknowledges that there could be a benefit in more clearly identifying the type of conduct captured by the ‘serious or repeated interference with privacy’, which is that it would increase clarity for the OAIC, APP entities (regulated by the Privacy Act) and the courts.
In its submission to the Privacy Act review – discussion paper, the OAIC supports the proposal to clarify the phrase, but recommends removing the ‘repeated’ threshold. This is because the OAIC considers that ‘a repeated act or practice that interferes with the privacy of individuals would fall within the natural meaning of a “serious” privacy incident, rather than existing as a separate legal construct’. Nevertheless, the OAIC indicates that it supports the proposal to clarify the ‘serious or repeated interference with privacy’ threshold only if its preferred recommendation of repealing the threshold altogether, as discussed below, is not adopted.
It is unclear if the Government has made a conscious decision against clarifying those terms in the Bill or decided to defer settling on this proposed amendment issue when the ongoing review of the Privacy Act is completed. Either way, the Bill appears a missed opportunity for those terms to be afforded the legislative clarity that it is said to need.
Comparison with other existing or proposed penalty regimes
The proposed maximum penalties in this Bill are identical to those proposed under the Australian Consumer Law (ACL) in the Treasury Laws Amendment (More Competition, Better Prices) Bill 2022, which had passed both Houses by 27 October 2022. In this way, the Government has adopted Recommendation 16(f) in the ACCC’s July 2019 Digital Platforms Inquiry – final report that the maximum penalties for serious or repeated interferences of privacy under the Privacy Act be increased to mirror the penalties for breaches of the ACL to achieve effective deterrence.
The proposed maximum penalties in the Bill exceed what was proposed in the Online Privacy Bill Exposure Draft for privacy breaches by social media services, data brokerage services and large online platforms: $10 million, three times the value of any benefit obtained from the conduct constituting the serious or repeated interference with privacy, 10% of an entity’s annual Australian turnover.
In terms of comparisons with equivalent legislation in overseas jurisdictions, the proposed maximum penalty of $50 million in the Bill is significantly higher than the maximum penalty of $20 million EURO (approximately $31 million AUD) under the European Union General Data Protection Regulation (GDPR). However, the proposed penalty of 30% of a body corporate’s annual Australian turnover in the Bill may not be directly comparable with the penalty of 4% of an entity’s global annual turnover under the GDPR.
How would the strengthened penalty regime protect Australians’ information privacy?
Before introducing the Bill, Attorney-General Mark Dreyfus pointed out that the reputational harm suffered by entities from data breaches ‘clearly isn’t enough’.27 In his second reading speech on the Bill, he was unequivocal that tougher penalties were intended to have deterrent effects to incentivise entities to have stronger safeguards to protect Australians’ personal information:
… This bill sends a clear message that the Albanese government takes privacy, security and data protection seriously.
As the Optus, Medibank and MyDeal cyberattacks have recently highlighted, data breaches have the potential to cause serious financial and emotional harm to Australians, and this is unacceptable.
Governments, businesses and other organisations have an obligation to protect Australians’ personal data, not to treat it as a commercial asset. The law must reflect this.
Increased penalties …
Setting these penalties at a higher level will accord with Australian community expectations about the importance of protecting their personal data.
Further, penalties for privacy breaches cannot be seen as simply the cost of doing business. Entities must be incentivised to have strong cyber and data security safeguards in place to protect Australians …
Emphasis on the consequences of data breaches
The stated purpose of the increased penalty regime focuses on the consequences for an entity’s failure to protect personal information it holds from unauthorised access, as regulated by Australian Privacy Principle (APP) 11.1 of Schedule 1 to the Privacy Act.29 It would unlikely address the root-cause issues of potential over-collection of personal information (APP 3) at one of the earliest stages of the information lifecycle and of data retention (APP 11.2). The Optus data breach has raised a question about whether it is reasonably necessary for a telecommunication company to collect information relating to a customer’s identification documents into its record after their identity has been verified. It has also raised the issue of whether a telecommunication company needs to retain or destroy a customer’s personal information once it is no longer needed for the purpose for which it was collected (for example, in the case of former customers).
These issues point to the data minimisation principle advocated by Australia’s privacy regulators and ombudsmen that ‘the collection of personal information … should always be limited to the minimum information reasonably necessary to achieve a legitimate purpose’.30 An obvious benefit of data minimisation is that the fewer data are collected, the fewer data will be subject to unauthorised access in the event of a data breach. However, an entity’s efforts to actualise this ideal privacy practice are often limited by their statutory obligations to collect and retain personal information for national security and crime prevention reasons.
For example, the Telecommunications (Interception and Access) Act 1979 requires a telecommunication company to collect and retain various kinds of personal information about a customer, including their contact information and ‘information for identification purposes’ – even beyond their time as a customer. Such a legislative requirement absolves the company of its normal obligation under APP 11.2 to take reasonable steps to destroy or de-identify the customer’s relevant personal information that it no longer needs for any purpose for which the personal information may be used or disclosed under the APPs.
Therefore, the increased penalty regime may be seen as a band-aid solution that would not directly address the root-cause issues of over-collection and data retention underlying the Optus data breach. These issues will likely persist without appropriate reforms to relevant data retention legislation in addition to imminent reforms to the Privacy Act, including the proposed introduction of a right to erasure of personal information. Any reforms to relevant data retention legislation will need to involve striking a delicate balance between safeguarding Australia’s national security and protecting Australians’ information privacy.
Deterrent effect of the increased penalties
The Government appears hopeful that the quantum of the increased penalties will have a general deterrent effect for entities that have obligations to protect Australians’ personal information from data breaches under the Privacy Act. However, the OAIC’s very limited track record of using the existing penalty regime as a regulatory tool to date may cast doubt on whether the intended deterrent effect can be achieved. Since section 13G of the Privacy Act (the civil penalty provision for serious or repeated interferences with privacy) commenced in March 2014, the OAIC’s litigation against Facebook Inc and Facebook Ireland currently before the Federal Court of Australia (which concerns the Facebook–Cambridge Analytica data scandal that occurred in the 2010s) is the first and only instance of civil penalty proceedings by the OAIC.
Indeed, the current process of having a civil penalty order imposed on an entity can be lengthy and complex. The Commissioner does not have power under the Privacy Act to directly impose a penalty on a regulated entity. Rather, it must apply to the Federal Court of Australia or the Federal Circuit and Family Court of Australia for a civil penalty order against an entity for a serious or repeated interference with privacy. The OAIC has expressed criticism of the current provision, arguing that the ‘serious’ and ‘repeated’ thresholds in section 13G – which the Commissioner must demonstrate before civil penalty orders can be made by the courts – are ‘unnecessary’ because:
these factors are more appropriate considerations after breach has been established when the Federal Court determines civil penalties using well-established legal principles. The nature and extent of any contravention is also explicitly required for consideration under s 82(6) of the Regulatory Powers (Standard Provisions) Act 2014 (Cth) (Regulatory Powers Act) when determining pecuniary penalties. Requiring the Commissioner to adduce evidence of these matters to demonstrate a breach of s 13G creates unnecessary duplication which may not be an efficient use of public resources
[Section 13G] imposes legal concepts of seriousness and repeated conduct that distract from the proper focus on whether the Privacy Act itself has been breached. These concepts are more appropriately addressed after a breach has been established when determining pecuniary penalties.
In response to the Privacy Act review – discussion paper, the OAIC recommended that section 13G (and, therefore, the ‘serious’ and ‘repeated’ thresholds) be repealed and a single civil penalty provision for any interferences with privacy (rather than only the serious and repeated ones) be introduced to create a simpler civil penalty framework. It also recommended the creation of a series of low-level civil penalty provisions under certain APPs for administrative breaches of the APPs with attached infringement notice powers for the Commissioner.38
Further, the OAIC’s longstanding resourcing constraints amid its growing workloads may have also contributed to its very limited track record of using the existing civil penalty regime as a regulatory tool. As acknowledged by the OAIC, the contemporary approach to regulation expected by Australians is that government regulators use the full range of compliance and enforcement tools available in the law. The OAIC’s FOI disclosure log indicates that following the 2022 Federal Election in June 2022, Angelene Falk, Australian Information Commissioner and Privacy Commissioner, provided Attorney-General Mark Dreyfus a brief titled Overview of OAIC strategic priorities. In the brief, before noting the ‘[s]ignificant funding pressure’ faced by her office, Commissioner Falk, stated:
The complexity of personal information flows in the digital economy and the significant information asymmetry between digital platforms and individuals necessitates less reliance on the traditional individual complaint-based mechanisms for addressing privacy risks and harms, requiring increased proactive investigation and enforcement activity … The changed enforcement posture and focus on global, digital and significant privacy risks and harms is more expensive than the traditional complaint-handling dispute resolution approach of the office …
However, any shift in the OAIC’s regulatory posture from its historical focus on resolving privacy complaints to more use of regulatory ‘sticks’ would also need to be reflected in future funding arrangements for the national privacy regulator. In the Budget October 2022–23, the OAIC has been allocated $5.5 million over 2 years from 2022–23 to support its response to the Optus incident. In the Budget March 2022–23, the OAIC was allocated $8.71 million in 2022–23 and $8.24 million in 2023–24 to process privacy complaints and enhance its capacity to take regulatory action for breaches of privacy, such as litigation against social media platforms. These funding allocations from March 2022 have also been confirmed. However, it remains to be seen whether these budget measures will be adequate to meet the OAIC’s existing workload and the expanding scope of the OAIC’s jurisdiction proposed by the Bill and envisaged in the ongoing Privacy Act review.
Therefore, for the increased penalty regime to have a real and sufficient deterrent effect, it cannot rely solely on the perceived deterrent effect of the penalty quantum. The increased penalty regime will need to be matched by further reforms to the broader enforcement framework for interferences with privacy under the Privacy Act. The OAIC’s privacy functions relevant to proactive investigation and enforcement activity, as enhanced by the greater enforcement powers proposed in the Bill, will also need to be adequately resourced for the OAIC to be an agile regulator taken seriously by the regulated.
Enhanced enforcement powers for the OAIC
Expanded extra-territorial jurisdiction of the Privacy Act
Currently, the Privacy Act has extra-territorial reach to any foreign organisation that has an ‘Australian link’, which is enlivened by satisfying two criteria:
• The organisation carries on business in Australia or an external Territory (existing paragraph 5B(3)(b)).
• The organisation collected or held personal information in Australia or an external Territory, either before or at the time of the act or practice (existing paragraph 5B(3)(c)).
Item 10 of the Bill repeals existing paragraph 5B(3)(c), which would leave ‘carrying on business’ in existing paragraph 5B(3)(b) effectively the only requirement for a foreign organisation to have an Australian link.
The Explanatory Memorandum to the Bill provides the rationale behind this proposed amendment:
The proposed amendment may have come amid the OAIC’s ongoing litigation against Facebook Inc and Facebook Ireland before the Federal Court of Australia, which has raised issues about the extra-territorial provisions of the Privacy Act. One of these issues concerns whether Facebook Inc was collecting or holding in Australia the personal information that is the subject of the claim. The Full Court of the Federal Court of Australia upheld the primary judge’s conclusion (which had been disputed by Facebook Inc) that an inference was open that Facebook Inc collected relevant personal information in Australia by means of cookies which it installed on the devices of Australian users.
This proposed amendment is identical to an amendment in the Online Privacy Bill Exposure Draft.48 Given its own legal battles in relation to the extra-territoriality of the Privacy Act, it is relevant to note Meta’s (formerly Facebook Inc) concerns about the proposed lower threshold of the ‘Australian link’ test (in response to the Online Privacy Bill Exposure Draft):
… [T]he proposed change to the “Australian link” test means that any foreign corporation that carries on business in Australia will be bound to comply with the Australian Privacy Act even in relation to personal information that they collect from individuals who are not in Australia.
For example, if a US corporation carries on business in Australia through providing services to Australian end users, then the updated “Australian link” test would mean that the Privacy Act would also apply to that corporation’s handling of information about users in the US or in any other jurisdiction where that corporation makes its services available. This appears to be an unintentional consequence of the proposed drafting changes. In principle, we see no reason for Australian laws to seek to regulate management of personal information that has no direct connection with Australia or with Australians.
Law firm, Herbert Smith Freehills, also observed that as ‘a (presumably unintentional) consequence of the proposed drafting change’, the reduced threshold in the present Bill could be interpreted as that: foreign companies carrying on business in Australia would be subject to the Act even in respect of their activities that do not relate to their business in Australia, or to Australian individuals. We note that the EU’s General Data Protection Regulation includes extra-territoriality tests based on individuals in the EU, and the California Consumer Privacy Act includes a test based on Californian residents.
In its submission to the Online Privacy Bill Exposure Draft, Communications Alliance noted a similar concern but suggested that:
If the concern is that an organisation may indirectly collect or hold information that is derived from another source within Australia that directly collects or holds the information, section 5B could be amended to bring such indirect collection and holding within the definition. Otherwise, the change would create broad, uncertain and unconstrained extraterritoriality that is not consistent with good legislative practice and comity between national laws.51
Strengthened Notifiable Data Breaches scheme
More detailed notification to the Commissioner
Under the NDB scheme of Part IIIC of the Privacy Act, any organisation or agency covered by that Act must notify the OAIC and take reasonable steps to notify affected individuals when a data breach is likely to result in serious harm to the affected individuals (which is known as an ‘eligible data breach’).
If an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach of the entity, one of its notification obligations under the NDB scheme is to prepare a statement for the Commissioner under section 26WK of the Privacy Act (before notifying the contents of this statement to affected individuals under section 26WL). One of the pieces of information that must be included in that statement is ‘the kind or kinds of information concerned’ in the eligible data breach (paragraph 26WK(3)(c)).
Item 17 of the Bill amends paragraph 26WK(3)(c) of the Privacy Act such that a reporting entity must include information about the particular kind(s) of personal information involved in an eligible data breach, as opposed to just the kind(s) of personal information.
In practice, this may mean, for example, instead of notifying that ‘contact information’ has been involved in an eligible data breach (which is one of the ‘categories’ of personal information in the OAIC’s online Notifiable data breach form), the reporting entity must state the specific kinds of contact information (which may be, for example, home address, phone number or email address).
The Explanatory Memorandum to the Bill states that this proposed amendment:
… is necessary to ensure the Commissioner has a comprehensive knowledge of the information compromised in an eligible data breach in order to assess the particular risk of harm to individuals, and whether the recommendations about the steps that individuals should take in response to the eligible data breach outlined in a notification are sufficient.
This proposed amendment would ultimately benefit affected individuals, as a reporting entity also has an obligation to take reasonable steps to notify the contents of the section 26WK statement (which has been provided to the Commissioner) to the affected individuals under section 26WL.
New information gathering powers relating to eligible data breaches
Currently, information available to the Commissioner and their office about an eligible data breach under the NDB scheme is limited to information that an entity voluntarily discloses in its section 26WK statement. To obtain more detailed information about the data breach, the Commissioner or their delegates may make preliminary inquiries to the entity or a third party under subsection 42(2) of the Privacy Act. However, there appears to be no obligations for the entity or the third party to respond to or cooperate with those preliminary inquiries. It is only after the Commissioner has opened a formal investigation against the entity under subsection 40(2) that the Commissioner’s information gathering power under subsection 44(1) may be enlivened.
Proposed section 26WU of the Bill (inserted by item 18 of the Bill) addresses this gap. It provides the Commissioner with a power to require a person or an entity by written notice to give information, produce a document or answer questions of kind specified in the notice (proposed subsection 26WU(3)) if the Commissioner has reason to believe that they have information or documents, or can answer questions, that are relevant to either or both of the following matters (the relevant matters):
• an actual or suspected eligible data breach of an entity (proposed paragraph 26WU(1)(a))
• an entity’s compliance with the requirements in Part IIIC, Division 3 (proposed paragraph 26WU(1)(b)).
Proposed subsection 26WU(2) provides a non-exhaustive list of factors that the Commissioner may consider to be the relevant matters.
Proposed subsection 26WU(4) provides that in a subsection 26WU(3) notice, the Commissioner must state the place and time which the information, document or answers must be provided.
Proposed subsection 26WU(5) outlines how the Commissioner may or must handle documents produced in response to the subsection 26WU(3) notice.
Proposed subsection 26WU(6) provides that the Commissioner must not exercise their power under proposed section 26WU where the Attorney-General has furnished to the Commissioner a certificate under section 70 certifying that the giving to the Commissioner of information concerning a specified matter, or the production to the Commissioner of a specified document or other record, would be contrary to the public interest.
Proposed subsection 26WU(7) ensures that a person or entity is not liable to a penalty under the provisions of any other Commonwealth law because they have given information, produced a document or answered a question to comply with a subsection 26WU(3) notice.
New powers to conduct assessments on compliance with the NBD scheme
Under section 33C of the Privacy Act, the Commissioner currently has a power to conduct an assessment of an entity’s compliance relating to various aspects of the Act, even in the absence of a breach of the Act or a privacy complaint having been made.53 However, the Commissioner does not have a power to assess an entity’s compliance with the NDB scheme.
Proposed subparagraph 33C(1)(ca) (inserted by item 21 of the Bill) addresses this gap and provides the Commissioner a new power to conduct an assessment of an entity’s ability to comply with the NDB scheme in Part IIIC of the Privacy Act. This proposed amendment has adopted a similar amendment in the Online Privacy Bill Exposure Draft.
Proposed paragraphs 33C(3)–(8) (inserted by item 22 of the Bill) provides information gathering powers and limitations on those powers similar to those in proposed sections 26WU discussed above.
New infringement notice powers to penalise failure to provide information
Item 38 of the Bill repeals the criminal penalty in existing subsection 66(1) of the Privacy Act and substitutes it with a civil penalty for a basic contravention which arises where a person is required to give information, answer a question, or produce a document or record under the Act, and refuses or fails to do so (for example, under proposed subsection 26WU(3), proposed paragraph 33C(3) or existing subsection 44(1) discussed above). The penalty is 60 penalty units for a person and 300 penalty units for a body corporate.
Item 44 of the Bill inserts proposed section 80UB. This allows the Commissioner or an SES employee of the OAIC (or equivalent) as an ‘infringement officer’ (pursuant to Part 5 of the Regulatory Powers (Standard Provisions) Act 2014) to issue an infringement notice instead of seeking a civil penalty for contraventions of proposed subsection 66(1).
The Explanatory Memorandum to the Bill posits that:
… Infringement notices will provide the Commissioner with a timely, cost-efficient enforcement outcome in relation to minor contraventions of section 66. The infringement notice provision will provide an alternative to litigation of a civil matter. This will enable the Commissioner to resolve privacy complaints and investigations more efficiently.
Further, item 39 of the Bill inserts proposed subsection 66(1AA) to the Privacy Act. This creates a new offence for a corporation of engaging in conduct that constitutes a system of conduct or a pattern of behaviour that results in two or more contraventions of proposed subsection 66(1). This would enable the OAIC to refer matters to the Commonwealth Director of Public Prosecutions for more serious and systemic conduct of failing to provide information.56 However, items 40 and 41 of the Bill amend subsection 66(1B) of the Privacy Act so that proposed subsection 66(1AA) is subject to the ‘reasonable excuse’ safeguard in existing subsection 66(1B).
These proposed new infringement notice powers to penalise failure to provide information also adopt similar amendments in the Online Privacy Bill Exposure Draft.
Enhanced information sharing powers for the Commissioner
Power to share information with authorities
Proposed section 33A of the Privacy Act (inserted by item 20 of the Bill) provides the Commissioner the power to share information or documents with a receiving body for the purpose of the Commissioner or the receiving body exercising powers, or performing functions or duties (proposed subsection 33A(1)). The Explanatory Memorandum states that proposed section 33A is an authorisation by law for the purposes of APP 6.2(b).
Proposed subsection 33A(2) states that a receiving body may be:
• an enforcement body (as defined in subsection 6(1))
• an alternative complaint body (as defined in subsection 50(1))
• a state or territory authority (as defined in subsection 6C(1)) or an authority of the government of a foreign country that has privacy functions.
Proposed subsection 33A(3) provides that the Commissioner may only share information or documents with a receiving body if:
• the information or documents were acquired by the Commissioner in the course of exercising powers, or performing functions or duties under the Privacy Act and
• the Commissioner is satisfied on reasonable grounds that the receiving body has satisfactory arrangements in place for protecting the information or documents.
Proposed subsection 33A(4) provides that if the Commissioner acquired the information or documents from an Australian Government agency (as defined in subsection 6(1)), the Commissioner may only share the information or documents with a receiving body that is also an Australian Government agency (and not a state or territory authority, or foreign body).
Proposed subsection 33A(5) provides that a receiving body may only use the information for the purposes for which it was shared.
Proposed subsection 33A(6) clarifies that the Commissioner is not required to transfer a complaint or part of a complaint to share information or documents with a receiving body.
These proposed amendments are in similar terms to those in the Online Privacy Bill Exposure Draft, although the present Bill inserts an additional safeguard that a receiving body may only use the information for the purposes for which it was shared (proposed subsection 33A(5)).
In response to the Online Privacy Bill Exposure Draft (but not the present Bill), the Law Council of Australia raised concern that the Commissioner’s new information sharing power under proposed subsection 33A(1) of that Bill (which is identical to proposed subsection 33A(1) of the present Bill) may be too broad when used in conjunction with:
• the Commissioner’s current power under existing section 33C of the Privacy Act to assess an entity’s compliance with certain parts of the Act in the absence of any breach of the Act or any complaint having been made
• the Commissioner’s new information gathering power to issue a notice to produce information or a document relevant to an assessment under proposed paragraph 33C(3) of the Privacy Act (in the Online Privacy Bill).
The Law Council of Australia’s concern appears to be centred on the prospect that information or documents which an entity is compelled to produce to the Information Commissioner (when exercising a compulsory information-gathering power) could then be disclosed by the Information Commissioner under proposed subsection 33A(1) of the Online Privacy Bill Exposure Draft (which is identical to proposed subsection 33A(1) of the present Bill) to a receiving body – even without the entity’s knowledge or consent, or having to consult the entity.
Further, it is unclear how the safeguard in proposed subsection 33A(5) of the present Bill, which requires that ‘a receiving body may only use the information for the purposes for which it was shared’ would have any practical significance in relation to a receiving body that is ‘an authority of the government of a foreign country that has privacy functions’ (proposed subparagraph 33A(2)(c)). For example, the Commissioner might be ‘satisfised on reasonable grounds’ that a foreign privacy regulator ‘has satisfactory arrangements in place for protecting the information or documents’ shared’ (proposed subparagraph 33A(3)(b)) before sharing the information or documents. However, once the information or documents is/are shared, the ‘safeguard’ in proposed subsection 33A(5) may not be operative if the foreign privacy regulator then proceeds to disclose or is compelled to disclose the information or documents to other government or law enforcement bodies in its jurisdiction for any secondary purposes (under the laws of its own jurisdiction or otherwise).
Powers to disclose certain information if in the public interest
Proposed subsection 33B(1) sets out the Commissioner’s power to disclose certain information acquired in the course of the Commissioner exercising powers or performing functions or duties under the Privacy Act if the Commissioner is satisfied the disclosure is in the public interest. The Explanatory Memorandum to the Bill provides that:
The purpose of subsection 33B(1) is to empower the Commissioner to disclose or publish information relating to privacy and personal information, for example information about an ongoing investigation on the OAIC’s website. This will ensure Australians are informed about privacy issues and to reassure the community that the OAIC is discharging its duties. Section 33B is an authorisation by law for the purposes of APP 6.2(b).
Proposed paragraph 33B(2)(a) sets out a list of public interest considerations that the Commissioner must consider before exercising their discretion under proposed subsection 33B(1):
• the rights and interests of any complainant or respondent
• whether the disclosure will or is likely to prejudice any investigation the Commissioner is undertaking
• whether the disclosure will or is likely to disclose the personal information of any person
• whether the disclosure will or is likely to disclose any confidential commercial information
• whether the Commissioner reasonably believes that the disclosure would be likely to prejudice one or more enforcement related activities conducted by or on behalf of an enforcement body.
Proposed paragraph 33B(2)(b) sets out that the Commissioner may also have regard to any other matter the Commissioner considers relevant when determining if a disclosure is in the public interest.
Proposed subsection 33B(3) clarifies that section 33B does not limit the Commissioner’s other powers under the Privacy Act or any other Commonwealth laws to disclose information.
These proposed amendments adopt similar amendments in the Online Privacy Bill Exposure Draft, although that Bill proposes a general prohibition (with a few exceptions) on the Commissioner disclosing information about an eligible data breach. However, that prohibition is not contained in the present Bill, which is likely a result of the recent high-profile data breaches. As the Explanatory Memorandum notes:
The purpose of subsection 33B(1) is to empower the Commissioner to disclose or publish information relating to privacy and personal information, for example information about an ongoing investigation on the OAIC’s website. This will ensure Australians are informed about privacy issues and to reassure the community that the OAIC is discharging its duties.
The Commissioner’s proposed power to publish information about privacy issues or data breaches would likely be met with opposition from the regulated entity for reasons related to reputation and confidentiality. Speaking from the perspective as an entity that may be covered the Privacy Act in response to similar amendments in the Online Privacy Bill Exposure Draft, Meta noted:
We suggest that before exercising the right to share information in the public interest, the Information Commissioner should consult with any potentially affected parties and allow them to make submissions as to why all or some of the information should not be disclosed and to seek review of the Information Commissioner’s decision if necessary. Without this type of protection it will be much harder for regulated entities to be comfortable sharing information with the Information Commissioner on a voluntary basis, as there would be a heightened underlying risk of that information being shared outside an entity’s control.
Both the Business Council of Australia and the Communications Alliance expressed concerns that information published by the Commissioner might include information supplied by regulated entities that is contestable in terms of accuracy, completeness or relevance. They recommended the similar proposed subsection 33B in the Online Privacy Bill Exposure Draft be amended to include a requirement for prior consultation with the person or entity that provided the relevant information or to whom the information relates, among other things.
Enhanced determination powers for the Commissioner
Under the Privacy Act, the Commissioner has the power to make a determination after investigating a complaint, to dismiss the complaint or find that the complaint is substantiated (existing subsection 52(1)), or after conducting an investigation on the Commissioner’s own initiative (existing subsection 52(1A)).
Proposed subparagraph 52(1)(b)(iia) (inserted by item 29 of the Bill) sets out that after investigating a complaint, the Commissioner may find the complaint substantiated and make a determination that includes a declaration that the respondent must prepare and publish, or otherwise communicate, a statement about the conduct. The relevant requirements and processes are set out in proposed section 52A (inserted by item 33 of the Bill). Proposed paragraph 52(1A)(ba) (inserted by item 30 of the Bill) provides a similar power for the Commissioner’s determinations on Commissioner-initiated investigations.
Under existing subparagraph 52(1)(b)(ia) or existing paragraph 52(1A)(b), the Commissioner may make a determination that includes a declaration that a respondent must take specified steps within a specified period to ensure conduct (in relation to complaints), or an act or practice (in relation to Commissioner-initiated investigations) constituting an interference with an individual’s privacy is not repeated or continued.
Proposed subsection 52(1AAA) (inserted by item 31 of the Bill) specifically allows the Commissioner to make a determination that includes a requirement for the respondent to engage, in consultation with the Commissioner, a suitably independent and qualified adviser to assist this process. The adviser is to review the acts or practices engaged in by the respondent that were the subject of the complaint, the steps (if any) taken by the respondent to ensure that the conduct referred to in the determination is not repeated or continued, and any other matter specified in the declaration that is relevant to those acts or practices, or that complaint (proposed paragraph 52(1AAA)(a)). It appears this amendment formalises the legal basis for a practice that the Commissioner has already used in some of her recent determinations.
These proposed amendments to the Commissioner’s determinations powers adopt similar amendments in the Online Privacy Bill Exposure Draft.6
The Legal and Constitutional Affairs Legislation Committee reported on Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022Legal and Constitutional Affairs Legislation Committee. The report provides:
List of Recommendations
Recommendation 1
3.9 The committee recommends that the Attorney-General’s Department, as part of its review of the Privacy Act 1988, recommend amending section 13G of the Act to define the terms ‘serious interference’ and ‘repeated’ interference and that the Australian government implement such a recommendation.
Recommendation 2
3.14 The committee recommends that the Attorney-General’s Department, as part of its review of the Privacy Act 1988, examine the appropriateness of section 5B providing for any additional ‘Australian link’.
Recommendation 3
3.16 Subject to the above recommendations, the committee recommends that the Bill be passed.
1.1 On 27 October 2022, the Senate referred the provisions of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Bill) to the Senate Legal and Constitutional Affairs Legislation Committee (the committee) for inquiry and report by 22 November 2022.1
1.2 The Bill would amend three Commonwealth Acts to increase penalties for serious or repeated interferences with privacy, enhance enforcement powers for the Australian Information Commissioner (the Commissioner), and provide the Commissioner and the Australian Communications and Media Authority (ACMA) with greater information sharing powers.
Conduct of the inquiry and acknowledgement
1.3 In accordance with its usual practice, the committee advertised the inquiry on its website and wrote to organisations and individuals inviting submissions by 7 November 2022. The committee received 32 submissions, which are listed at Appendix 1.
1.4 The committee held a public hearing in Canberra on 17 November 2022. A list of the witnesses who appeared at the hearing is at Appendix 2.
1.5 The committee thanks those individuals and organisations who made submissions and gave evidence at the public hearing.
Scope of the report
1.6 This report comprises three chapters:
Chapter 1 provides background information relating to the Bill, outlines the Bill’s key provisions, and notes any consideration of the Bill undertaken by other parliamentary committees;
Chapter 2 examines some of the key issues raised by stakeholders; and
Chapter 3 sets out the committee’s findings and recommendations.
1.7 In this report, references to the Committee Hansard are to the proof (that is, uncorrected) transcript. Page numbers may vary between the proof and the official transcript.
Background to the inquiry
1.8 On 22 September 2022, Australia’s second largest telecommunications company, SingTel Optus Pty Limited (Optus), a fully owned subsidiary of Singapore Telecommunications Limited, announced that the personal and other sensitive information of up to 9.8 million customers had been accessed and stolen during a cyberattack (Optus data breach).3
1.9 In the following weeks, MyDeal.com.au Pty Ltd (MyDeal), an online retail company and subsidiary of the Woolworths Group, and Medibank Private Limited (Medibank), one of Australia’s largest private health insurers, announced that they had also been the subject of cyberattacks, where millions of customers’ personal and sensitive data had been stolen by criminals.
1.10 The Privacy Act 1988 (Privacy Act) establishes the Notifiable Data Breaches (NDB) scheme, which requires regulated entities to notify affected individuals and the Commissioner if an entity has reasonable grounds to believe that an ‘eligible data breach’ (as defined in section 26WE) has occurred.
1.11 On 22 September 2022, the Office of the Australian Information Commissioner (OAIC) was notified of the Optus data breach and on 11 October 2022 commenced an investigation into the personal information handling practices of Optus and its associated companies, Optus Mobile Pty Ltd and Optus Internet Pty Ltd (all three collectively called ‘the Optus companies’).
1.12 On 25 October 2022, the Australian government delivered the 2022-2023 Federal Budget, in which an additional $5.5 million over two years was allocated to the OAIC to investigate and respond to the Optus data breach.
1.13 In addition, as a result of the data breaches, on 12 November 2022 the Australian government announced an ongoing, joint standing operation by the Australian Federal Police and the Australian Signals Directorate to investigate, target and disrupt cybercriminal syndicates with a priority on ransomware threat groups.
Introduction of the Bill
1.14 The Attorney-General, the Hon Mark Dreyfus KC MP, introduced the Bill into the House of Representatives on 26 October 2022, stating:
…the Albanese government takes privacy, security and data protection seriously. As the Optus, Medibank and MyDeal cyberattacks have recently highlighted, data beaches have the potential to cause serious financial and emotional harm to Australians, and this is unacceptable.
1.15 The Attorney-General stated that the Bill would give Australians confidence that their data will be protected, with a targeted and measured response to the most pressing issues arising from the Optus data breach and other recent cyberattacks.
1.16 The Attorney-General also highlighted the Attorney-General’s Department (AGD) ongoing review of the Privacy Act,11 which will recommend further reforms designed to ensure ‘Australia’s privacy framework protects the personal information of Australians, supports an innovative economy and responds to new challenges in the digital age’.
Key provisions of the Bill
1.17 The Bill comprises one schedule that sets out proposed amendments to the Privacy Act, the Australian Information Commissioner Act 2010 (AIC Act) and the Australian Communications and Media Authority Act 2005 (ACMA Act).
Penalties
1.18 The Bill would amend the Privacy Act to increase the civil penalty for a serious interference with the privacy of an individual, or a repeated interference with the privacy of one or more individuals:
? by a person other than a body corporate, from 2000 penalty units to an amount not exceeding $2.5 million (proposed subsection 13G(2)); and
? by a body corporate, from 10 000 penalty units to an amount calculated with reference to a formula:
…not more than the greater of: $50 million; three times the value of any benefit obtained through the misuse of the information; or, if the value of the benefit obtained cannot be determined, 30 per cent of a company’s domestic turnover in the relevant period [proposed subsection 13G(3)].
1.19 In his second reading speech, the Attorney-General stated:
Setting these penalties at a higher level will accord with Australian community expectations about the importance of protecting their personal data. Further, penalties for privacy breaches cannot be seen as simply the cost of doing business. Entities must be incentivised to have strong cyber and data security safeguards in place to protect Australians.
Enforcement powers
1.20 The Attorney-General highlighted that the Bill would also provide the Commissioner with ‘a suite of improved and new powers to resolve privacy breaches efficiently and effectively’.
Extra-territorial operation
1.21 The Privacy Act, a ‘registered APP code’ (as defined in section 26B) and a ‘registered CR code’ (as defined in section 26M) currently extend to organisations or small business operators that have an ‘Australian link’. The term ‘Australian link’ is defined in subsections 5B(2)-(3) of the Act.
1.22 The Explanatory Memorandum (EM) explains that part of the definition of ‘Australian link’ has become problematic:
A foreign organisation will have an Australian link if the organisation or operator carries on business in Australia and collects or holds information from a source inside Australia. However, when a breach of the Privacy Act occurs, it may be difficult to establish that these foreign organisations collect or hold personal information from a source in Australia. For example, foreign organisations may collect personal information about Australians but do not collect Australians’ information directly from Australia, and instead collect the information from a digital platform that does not have servers in Australia and may therefore not be considered ‘in Australia’.
1.23 The Bill would remove the requirement for an organisation or small business operator to collect or hold personal information in Australia or an external territory, before or at the time of the act or practice in question, in order to have an ‘Australian link’.
1.24 The Attorney-General explained:
To ensure Australia’s privacy laws remain fit for purpose in a globalised world and to ensure the Privacy Act can be enforced against global technology companies who may process Australians’ information on servers offshore, the bill will amend the act’s extraterritoriality provisions. This will mean that, even if foreign organisations do not collect or hold Australians’ information directly from a source in Australia, they must still meet the obligations under the Privacy Act so long as they ‘carry on a business’ in Australia.
Commissioner’s declarations
1.25 The Privacy Act provides a discretion for the Commissioner, following an investigation, to make binding and enforceable determinations (subsections 52(1) and 52(1A)).
1.26 The Bill would insert proposed subparagraph 52(1)(b)(iia) and proposed paragraph 52(1A)(ba) to enable the Commissioner to make a declaration that the respondent must prepare and publish, or otherwise communicate, a statement about the conduct that was the subject of the investigation.
Information gathering and assessment
1.27 The Bill would insert Division 4 into Part IIIC of the Privacy Act to give the Commissioner the power to require the giving of information, the production of documents or the answering of questions in relation to actual or suspected ‘eligible data breaches’, or an entity’s compliance with the notification requirements (proposed section 26WU).
1.28 The EM states that the proposed information gathering power would strengthen the NDB scheme, by ensuring that the Commissioner has ‘a comprehensive knowledge of the information compromised in an actual or suspected eligible data breach in order to assess the particular risk of harm to individuals’.
1.29 Proposed section 26WU of the Privacy Act would be complemented by proposed amendments to section 33C of the Act:
? to extend the Commissioner’s power to assess an entity’s compliance with the Act to specifically include compliance with the NDB scheme (proposed paragraph 33C(1)(ca)); and
? to give the Commissioner the power to require an entity or ‘file number recipient’ (as defined in section 11) to produce information or a document that is relevant to the Commissioner undertaking an assessment of that entity or file number recipient under section 33C when conducting an assessment relating to the Australian Privacy Principles (proposed subsection 33C(3)).
1.30 According to the EM:
The purpose of subsection 33C(3) is to ensure entities cooperate with an assessment by providing the relevant information and documents the Commissioner needs to undertake an assessment. This will ensure that assessments are thorough, and not limited to information that is publicly available.
Infringement notice
1.31 The Bill would replace the criminal penalty in subsection 66(1) of the Privacy Act with a civil penalty for a person’s failure to give information, produce documents or records, or answer questions when required to do so under the Act (the basic contravention, proposed new subsection 66(1)). The penalty would be 60 penalty units for a person and 300 penalty units for a body corporate.
1.32 According to the EM:
The purpose of converting subsection 66(1) from a criminal offence to a civil penalty provision is to allow the Commissioner to issue a civil penalty or an infringement notice for minor instances of non-compliance without having to resort to the prosecution of a criminal offence. Infringement notices will provide the Commissioner with a timely, cost-efficient enforcement outcome in relation to minor contraventions of section 66. The infringement notice provision will provide an alternative to litigation of a civil matter. This will enable the Commissioner to resolve privacy complaints and investigations more efficiently.27
1.33 The Bill would also insert proposed subsection 66(1AA) into the Privacy Act to create a criminal offence for a body corporate that engages in conduct that constitutes a system of conduct or a pattern of behaviours resulting in at least two contraventions of the basic contravention. The penalty for the offence would be 300 penalty units.
1.34 The EM acknowledges:
Although this matches the civil penalty units for a basic contravention under subsection 66(1) by a body corporate, conduct regarded as criminal carries a greater stigma and this reflects the more serious nature of an offence under subsection 66(1AA). The purpose of subsection 66(1AA) is to enable the OAIC to refer matters to the Commonwealth Director of Public Prosecutions involving more serious, systemic conduct.
1.35 The civil penalty set out in proposed subsections 66(1) and 66(1AA) of the Privacy Act would not apply if a person has a reasonable excuse (subsection 66(1B) of the Act). A person who relies on this defence would bear an evidential burden.
1.36 In addition, the Bill would insert Division 1A into Part VIB of the Privacy Act to enable the basic contravention for failing to provide information, etc. to be subject to an infringement notice under Part 5 of the Regulatory Powers (Standard Provisions) Act 2014 (proposed subsection 80UB(1)).
1.37 The EM reiterates that the purpose of this proposed provision is to allow:
…an infringement officer to issue an infringement notice instead of seeking a civil penalty for contraventions of subsection 66(1) where a person is required to give information, answer a question, produce a document or record, and the person refuses or fails to do so. This will enable the OAIC to resolve matters more efficiently.
Information sharing powers
1.38 The AIC Act currently prohibits unauthorised dealings with information that has been acquired while performing functions or exercising powers conferred for the purposes of an information commissioner, a freedom of information or a privacy function. There are a limited number of exceptions to the statutory offence (section 29 of the Act).
1.39 The Bill would amend the AIC Act by replacing paragraph 29(2)(a) with proposed paragraphs 29(2)(a), (aa) and (ab).33 According to the EM, the amendment would clarify that there is an exception for:
…any uses of information for the same function (being either an information commissioner function, freedom of information function, or a privacy function) under the AIC Act for which it was collected. This would allow, for example, information from a [notification of a data breach in the prescribed form] to be used in a subsequent investigation into potential Australian Privacy Principle (APP) 11 breaches, as they both fall within the Commissioner’s privacy functions.
1.40 The Bill would insert proposed section 33A into the Privacy Act to enable the Commissioner to share information or documents with a ‘receiving body’ (as defined in proposed subsection 33A(2) of the Act) for the purposes of the Commissioner or the ‘receiving body’ exercising their powers or performing their functions or duties.
1.41 The EM states:
The purpose of this section is to ensure the Commissioner is able to transfer a complaint to a receiving body, and also share information for the purposes of the Commissioner or the receiving body exercising their powers, or performing their functions and duties. This may occur when, for example, the Commissioner is holding information that relates to both an investigation under the Privacy Act, and under the receiving body’s framework.
1.42 The Bill would also insert proposed section 33B into the Privacy Act to give the Commissioner a discretion to disclose information acquired in the course ofexercising powers, or performing functions or duties, under the Act if the Commissioner were satisfied that it is in the public interest to do so.
1.43 According to the EM:
The purpose of subsection 33B(1) is to empower the Commissioner to disclose or publish information relating to privacy and personal information, for example information about an ongoing investigation on the OAIC’s website. This will ensure Australians are informed about privacy issues and to reassure the community that the OAIC is discharging its duties.
1.44 Similarly, the Bill would amend the ACMA Act to enable the ACMA to disclose information to a ‘non-corporate Commonwealth entity’ (as defined in section 11 of the Public Governance, Performance and Accountability Act 2013) that is responsible for enforcing one or more laws of the Commonwealth.
1.45 The EM explains:
The amendment is important because for many functions and powers that non-corporate Commonwealth entities are exercising, taking prompt action is critical to help ensure further harm is minimised or avoided. For example, prompt disclosure of information by the ACMA following a data breach could help ensure that financial crime and fraud does not occur.
The Attorney-General noted also that the proposed information sharing powers for the Commissioner and the ACMA will ‘drive better cooperation between regulators in order to deliver better outcomes for Australians’.41
Examination by other parliamentary committees
1.46 When examining a bill, the committee takes into account any relevant comments published by the Senate Standing Committee for the Scrutiny of Bills (Scrutiny of Bills Committee) and the Parliamentary Joint Committee on Human Rights (Human Rights Committee).
Chapter 2
Key issues
2.1 Submitters and witnesses supported stronger protections for the security of personal information, with some describing the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Bill) as long overdue.
2.2 The Law Council of Australia (Law Council) noted that individuals are increasingly required to provide personal and sensitive data to participate in Australia’s digital economy and to access services. However, as the Office of the Australian Information Commissioner (OAIC) highlighted:
…[W]e have seen several recent high-profile data breaches involving the personal information of millions of Australians and the resulting impacts this has had on the community. It is essential that the Australian privacy framework provides the right regulatory tools to enable the OAIC to respond efficiently and effectively to privacy harms emerging through the digital environment and [to] deter non-compliant behaviour.
2.3 CHOICE concurred that the ‘case for strengthening Australia’s privacy laws and regulatory enforcement powers has never been clearer’. While the Business Council of Australia (BCA) agreed on the need to protect Australians’ personal information, it emphasised that businesses operate in an ‘increasingly challenging environment’ where cyber incidents are inevitable:
It will be impossible to prevent all attacks. All frameworks put in place to respond to cyber incidents must recognise this. New attack methods, the discovery of zero-day vulnerabilities, leaking of government cyberattack tools, and sophisticated attackers all make it impossible for businesses to be immune to cyber incidents.
2.4 Submitters and witnesses commented broadly on potential legislative reforms to address transnational cybercrime and to enhance Australian privacy law, as well as the proposals contained in the Bill.
2.5 This chapter examines the following key issues raised in submissions and at the public hearing in relation to the Bill:
? the ongoing review of the Privacy Act 1988 (Privacy Act);
? the proposed increase to maximum penalties for serious or repeated interferences with privacy;
? the proposed expansion of enforcement powers for the Australian Information Commissioner (the Commissioner); and
? the proposed information sharing powers for the Commissioner and the Australian Communications and Media Authority (ACMA).
Review of the Privacy Act 1988
2.6 On 30 October 2020, the Attorney-General’s Department (AGD) commenced a review of the Privacy Act (Privacy Act Review), as recommended by the 2019 Digital Platforms Inquiry (Digital Platforms Inquiry).
2.7 The AGD conducted consultations and received numerous submissions on a broad range of potential reforms spanning the scope and application of the Privacy Act. The review is due to be completed shortly, with the report to be presented to the Attorney-General by the end of 2022.
2.8 Several submitters and witnesses engaged with the Privacy Act Review.8 Business stakeholders especially noted the importance of industry working with government to improve privacy protections and cyber security.
2.9 Some stakeholders commented also on the timing and interaction of the Privacy Act Review and the Bill. The Law Council, while supportive of the Bill, emphasised the importance of a holistic approach to privacy law reform:
[The Law Council] continues to welcome and engage with the holistic review of the Privacy Act, which is being concurrently conducted by the Attorney-General’s Department. The Law Council considers that it will be important to maintain the momentum of this review to avoid uncertainty and unintended consequences created by the fragmented approach to reform, to which the Privacy Bill is contributing.
2.10 A few submitters suggested that it might be preferable to wait for completion of the Privacy Act Review. The Australian Privacy Foundation (APF), for example, submitted:
The APF strongly recommends that any amendments to the Privacy Act only be made as part of the comprehensive reforms that have been under consideration by the Australian government for three years.
2.11 The Law Council and BCA noted the importance of ensuring that all privacy law reforms are consistent. The BCA highlighted also that the Bill would have broader implications than just responding to the recent cyber incidents. For example, increased maximum penalties would apply to ‘the range of relevant offences under the [Privacy] Act, and potentially to any new provisions legislated as part of the Privacy Act Review’.
2.12 In response to these concerns, and consistent with the Attorney-General’s second reading speech, the AGD submitted that the Bill needed to be introduced now to address ‘the more pressing issues arising from recent serious data breaches and cyber incidents’.
2.13 The AGD noted that, once the Privacy Act Review has been completed, a broad range of potential reforms will be recommended to the Australian government:
This review will recommend further reforms to ensure Australia’s privacy framework protects the personal information of Australians, supports an innovative economy and responds to the new challenges in the digital age. Broader proposals, including measures to address the amount of personal information that entities are collecting and how they are storing it, are issues that have been raised and considered through this review process, and it’s appropriate that these reforms be considered holistically in that process, given the range of complex and interconnected issues and other work across government.
2.14 With respect to momentum, an official noted that ‘the Attorney-General has a real interest in this area and certainly has expectations in terms of this review being finalised so that we can move to that next step’.
Increased maximum penalties for certain interferences with privacy
2.15 The Bill proposes to amend section 13G of the Privacy Act. This section sets out a contravention for a ‘serious interference’ with an individual’s privacy or a ‘repeated’ interference with the privacy of one or more individuals. The Bill would convert this existing provision into subsection 13G(1).16 The following proposed subsections 13G(2)-(3) would increase the civil penalty for the ‘serious interference’ or ‘repeated’ interference (see paragraph 1.18).
Protecting personal data
2.16 A broad range of stakeholders supported increasing the penalties for serious or repeated interferences with individuals’ privacy. Salinger Privacy, a private consultancy specialising in privacy matters, considered that, at present, corporations are not appropriately respecting or protecting privacy:
It is essential that the regulatory regime in Australia makes the cost of non-compliance with the Privacy Act more expensive than the cost of compliance. Fines under the Privacy Act should not be seen as simply a cost of doing business. Increasing the penalties available under the Privacy Act will send a strong signal to businesses and other entities around Australia that they must take their legal obligation seriously.
2.17 Professor David Lacey, Managing Director of IDCARE, a specialist support service, considered that the proposed penalties are robust enough to sharpen the focus on data security. He added:
…[F]rom what we’re seeing in the environment at the moment, there’s perhaps a degree of under-reporting, and that’s in the absence of these types of penalties in any case. So we don’t necessarily feel as though the increase of penalties or what organisations might be up for will necessarily create that disincentive to report.
2.18 Digital Rights Watch described the proposed penalty increases as ‘an important improvement’ to the ‘woefully inadequate’ fines that are currently provided for in the Privacy Act. In its view, the need to take privacy more seriously is reflected in proposed subsections 13G(2)-(3), and it expressed hope that these might lead to widespread organisational change:
It is our hope that increased penalties will also contribute to changing the culture regarding data gluttony, and compel organisations to consider data lakes containing personal information to be a toxic asset. Too many organisations currently collect and retain far too much personal information for a variety of reasons. Without appropriate disincentives, many organisations consider retaining information to be easier than deletion, or opt to hold onto more data than they need ‘just in case’ there is a use for it later. However, we would emphasise that fines alone are not enough to change this culture of over-collection.
2.19 The Digital Industry Group Inc. (DIGI) added that ‘recent data breach events have underscored the importance of data minimisation’, noting that the Privacy Act Review provides an opportunity to ‘retain and refresh the data minimisation principle’ in the Australian Privacy Principles (APPs).
2.20 In response to the perceived ‘data gluttony’, the BCA reiterated that businesses collect and use data to deliver better, as well as basic and essential, services and experiences for all Australians. It noted also that long-standing legislation and regulation at both federal and state levels continues to compel businesses to collect information:
Many organisations…have long argued that government should pursue reforms that bring the priorities of these various pieces of work into alignment, and harmonise the various regimes governing the use of data in Australia. Despite this, further reforms requiring greater collection of personal information have also been broached, including as part of online safety regimes and electronic surveillance reforms. Existing laws are opaque about whether businesses are required to hold the data necessary to fulfill their obligations. Realistically, to be able to demonstrate compliance and support government priorities, businesses must retain this information.
Compensation for harms
2.21 Some submitters and witnesses commented on the various harms that can result from the inadequate protection of personal data. Dr Katharine Kemp, a legal expert in the fields of competition, consumer protection and data privacy regulation, highlighted that ‘privacy breaches may have open-ended, often-hidden impacts on an individual’s opportunities, vulnerabilities, financial security and health for years after the breach’.
2.22 Professor Lacey informed the committee:
Around a quarter of the people that engage IDCARE services and speak with our specialist case managers have no idea how their information was actually compromised or stolen, and they have experienced the exploitation of their details by criminals through, for example, the establishment of accounts with financial institutions, accessing of government services and hacking of social media accounts, email accounts or the like. For that cohort in the community, you can imagine the impact that will have on them emotionally but also financially and, going forward, their participation online in other arrangements that they may have in their lives.
2.23 Specifically in respect of the Medibank Private Limited data breach, Professor Lacey highlighted that the harm is not so much about the credential exposure and risk but the release of deeply personal and sensitive information:
Medibank—what its customers are experiencing and what that threat actor is trying to achieve through its information operations and through using the media in the way that it is—is amongst the ugliest breaches we’ve ever seen…[S]ensitive, personal information has been accessed by a third party that wasn’t authorised, and, in some sad and sinister cases, published online. The human cost is a very emotional, psychological and, in some cases, physiological impact. It is not uncommon for us, even beyond the Medibank breach, to have people come to us and say, ‘I was physically sick when I found out this happened. I am no longer sleeping. I don’t answer the phone.’ It has quite a detrimental impact on people’s core being.
2.24 Digital Rights Watch submitted that, although the Bill would provide for increased maximum penalties for interferences with privacy, these penalties would not necessarily translate to redress for those individuals harmed by interference(s):
Stronger fines will not get people’s personal information back once it has been compromised. One area where this could be improved is compensation. The current test for compensation is based on harm suffered, yet data breaches such as Optus or Medibank require people to take proactive steps to guard against harm, and they may suffer harm much later and in unexpected ways. The test for compensation needs to change. There is a serious need to give power to individuals to seek redress for the harm they have suffered as a consequence of privacy invasion.
2.25 The Council of Small Business Organisations of Australia (COSBOA) agreed that individuals and small businesses have been significantly harmed by the recent data breaches, yet there is no appropriate compensation available:
An individual who has not been an Optus customer for years has been offered Optus credit rather than a cash reimbursement to cover their losses. This is of absolutely no use to them and is extremely frustrating. Had their data not been retained by Optus after all these years, they would not have had to experience the stress, financial hardship, and consequential losses they have suffered.
Comparative regimes
2.26 The OAIC submitted that proposed subsections 13G(2)-(3) would ‘ensure penalties under the Privacy Act are comparable with those of other domestic and international regulators’.28 For example, the OAIC, the AGD and Dr Kemp all referenced similar provisions recently introduced into the Competition and Consumer Act 2010 (Consumer Law), in response to the 2019 Digital Platforms Inquiry.
2.27 The Law Council noted that, at the time of the recommendation, the maximum financial penalties available under section 151 of the Consumer Law were much lower. Further:
…[T]he penalties under the Consumer Law that the Privacy Bill seeks to ‘mirror’ are new and untested—they have been subject to limited consultation, and their practical ramifications are currently unknown…[The Law Council is] troubled by the extent to which the Explanatory Memorandum to the Privacy Bill relies on the new penalty regime under the Consumer Law as the primary justification for the proposed changes to section 13G of the Privacy Act.
2.28 The AGD acknowledged that the maximum penalties available under the Consumer Law have increased since 2019 but explained that the rationale underpinning the Digital Platforms Inquiry recommendation remains sound: ‘it highlighted the close links between competition, consumer and privacy laws, and that there was a need to avoid a siloed approach to how we address those’.
2.29 With regard to the international jurisdiction, the AGD referred explicitly to the European Union’s General Data Protection Regulation (GDPR), submitting that the penalty provisions in this privacy framework also provide for significant penalties:
…[T]he European Union’s General Data Protection Regulation has a maximum penalty of €20 million or 4 per cent of a company’s annual global turnover, whichever is higher. This has led to significant fines against large digital platforms, including a €746 million (AUD $1.15 billion) fine against Amazon, €405 million (AUD $626 million) fine against Meta Platforms, €225 million (AUD $348 million) fine against WhatsApp and €90 million (AUD $139 million) fine against Google.
2.30 However, some submitters—such as Dr Kemp and the Australia Banking Association—disagreed that the GDPR penalty regime is comparable to the Bill, as the EU framework notably provides for a system of tiered penalties (see ‘A tiered approach’ below).
2.31 A few submitters cautioned that the effect of proposed subsections 13G(2)-(3) would be limited, as more comprehensive reforms are required to address issues of privacy protection and cybercrime prevention. The Tech Council of Australia highlighted that skills shortages, regulatory gaps, and lack of investment in more secure technology and practices need to be addressed. On the first of these points:
We believe that cyber security skills and talent is an area in need of far greater attention. Australia does not have enough cyber security professionals. In 2021, the vacancy rate for cyber security roles was over double the economy-wide vacancy rate…The skills shortages are concentrated in roles with 3+ years’ experience, and which require University degrees. That means they cannot be solved in the short-term by labour market adjustments or training. If businesses cannot hire experienced cyber security and tech talent, their capacity to prevent and manage incidents is far lower.
2.32 COSBOA commented similarly:
A greater investment from Government in secure technology and practices is required, while also addressing urgent skills shortages, improving cyber skills and awareness, and providing greater resources for education and training in conjunction with new technology solutions…[T]he cost of increased penalties will likely have a flow on effect causing supply chain issues.
2.33 Dr Kemp submitted that, while substantive amendments to obligations, exemptions and definitions in the Privacy Act would provide far greater privacy protections:
…increasing maximum penalties in the short term at least assures organisations that if they do contravene the current relatively weak privacy obligations and do so in a way that amounts to a ‘serious’ or ‘repeated’ interference with privacy which the OAIC manages to prove in the Federal Court, the consequences for the organisation may be severe and not merely a commercial speed bump.
Imposition of the maximum penalties
2.34 Some submitters argued that the maximum penalties set out in proposed subsections 13G(2) and 13G(3) are too high. The Law Council pointed out that regulated entities include smaller organisations and, as noted by the Community Council for Australia, charitable organisations, both of which, they argued, would cease to be viable if penalised under the proposed provisions.
2.35 The Commissioner, Ms Angelene Falk, noted that the penalty provisions apply to a broad range of privacy requirements and are only one of the options available to her:
…the increased amounts would apply in a range of contexts, not only in a data breach context but also where there’s a misuse of personal information by an entity, where there has been a secondary disclosure or where there has been a failure to obtain consent and so on…[W]e need to ensure that Australians’ personal information is protected from known risks…[W]e know that there are particular risks in our environment at present. One is malicious criminal actors; the other is human error…Because they are known risks, we need to ensure that businesses put in place reasonable steps to prevent them. If they have done so, it will not constitute an interference with privacy, and therefore the issue of applying for a penalty doesn’t arise. But, for example, if there has been a failure to mitigate known risks—if there’s been a failure, for example, to train staff or to alert them to how to identify phishing emails, or if the information is sensitive and warrants particular protection, such as multifactor authentication, and that’s not provided—then they’re the situations where I’d be more inclined to investigate a data breach and then consider regulatory options. A civil penalty would be only one regulatory option. The others are seeking an enforceable undertaking for the entity to rectify the problem and ensure it’s not repeated; I can also make a determination, which is an administrative decision ordering or declaring that the entity rectify the situation; or, as you say, in more egregious circumstances, I can seek a civil penalty.
2.36 The AGD considered that ‘the penalties that we have in our bill would really only apply to the most egregious breaches’. With respect to smaller organisations, it further noted that most small businesses are currently exempt from the application of the Privacy Act, and the size of the business would also be considered in determining whether it had taken reasonable steps in relation to the security of personal information.
A tiered approach
2.37 Several submitters and witnesses argued that the proposal to increase maximum penalties should adopt a tiered approach, as was put forward in the Discussion Paper released for the Privacy Act Review and/or as is the case under the GDPR.
2.38 COSBOA submitted that a scaled approach to setting and capping maximum penalties would ensure that they are proportionate to the seriousness and frequency of potential breaches. Further:
It is also worthwhile considering a different penalty regime which is dependent on the entity type and ensures appropriate and proportionate penalties are applied to companies, partnerships, microbusinesses and sole traders.
2.39 The Community Council for Australia concurred with this suggestion, submitting that the size of an organisation and the nature of its work should be a relevant consideration: ‘penalties of up to 30% of an organisation’s turnover would break the vast majority of charities and force them to close’. The BCA expressed a similar concern in relation to large businesses due to the size of the proposed maximum penalties.
2.40 Salinger Privacy questioned whether the proposed maximum penalties would have any impact on the non-compliant conduct of most organisations. It explained that there are two significant problems with the current enforcement regime: only ‘serious’ or ‘repeat’ conduct attracts a fine; and the OAIC cannot levy fines directly:
Business from banks to dentists, from real estate agents to app developers, should be motivated to implement good practices due to concern about the likely consequences of not complying with the Privacy Act. So long as the enforcement regime is only for ‘serious’ or ‘repeat’ conduct, and fines can only be levied by the Federal Court, many organisations will continue to ignore their obligations in the hope that the regulator is too overwhelmed to bother taking them to court, and that they could easily defend most conduct as either not serious or not repeat anyway.
We suggest that the perceived likelihood of being penalised is a more powerful motivator than simply the amount of the maximum penalty. Until this limitation is addressed, it will not matter that the top fine is $50M or more; most organisations will not imagine themselves ever being subject to such a penalty, and thus will continue their information handling practices without improvement.
2.41 Salinger Privacy suggested that a more effective, fair and scalable penalty regime would be a tiered approach, with provision for aggravating factors and a need to involve the Federal Court for ‘serious’ or ‘repeat’ interferences only at the maximum penalty level specified in the Bill.45
2.42 The Tech Council of Australia agreed that ‘penalties should be proportionately applied’, agreeing that the Bill could be amended to provide for lower maximum penalties for less severe infringements:
? for example, the GDPR adopts a tiered approach to maximum penalties, with a smaller maximum penalty for less severe infringements, and larger maximum penalties reserved only for the most severe infringements.
? introducing a tiered model would also provide more legal clarity for smaller businesses about their potential risk levels and exposure to the increased penalties.46
2.43 In response, the AGD advised that the department is considering a tiered approach to penalties as part of the Privacy Act Review, noting that there is an argument for a mid-tier penalty:
…[T]he Information Commissioner…has a range of regulatory action that she can take. It’s quite a spectrum, so at the very low end she can provide guidance and education; if there’s a complaint she can attempt to conciliate; for more serious issues she may decide to make a determination; for a serious or repeated breach of privacy she can pursue a civil penalty. The feedback that we’ve had through the review to date is that perhaps there’s not enough of a spectrum in terms of being able to address the different types of seriousness of privacy breaches that can occur and, in particular, that there’s not much in between a determination that the Commissioner can make and when there’s a very serious or repeated breach of privacy. One of the ideas that we are considering through the review is whether there should be a mid-tier penalty that could apply for any breach of the Privacy Act.
Safe harbour mechanism
2.44 Several business stakeholders called for the Bill to incorporate a ‘safe harbour mechanism’, whereby entities that take reasonable steps to protect personal information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure, as required by Australian Privacy Principle 11, would not be penalised. The BCA submitted:
…any policy framework and response must clearly differentiate between incidents which occur due to negligent or reckless failure by an entity to take reasonable steps and those where the entity is a victim of sophisticated, targeted, and unprecedented actions by criminal and/or state actors. Duties of entities in this area and the consequences of a breach must be appropriate and proportionate to the actual wrongdoing or failure by the entity and the damage resulting to the entity, its employees, customers, and other stakeholders.
2.45 Similarly, Amazon Web Services submitted:
…civil penalties frameworks should not impose undue hardship on an otherwise responsible entity that already undertakes robust privacy and security practices. Entities should have the opportunity to demonstrate that they have taken appropriate security and organisational measures to protect personal information if an interference occurs, and these factors should be taken into consideration.
2.46 The Australian Privacy Foundation, Electronic Frontiers Australia and Digital Rights Watch did not support the creation of a safe harbour mechanism in relation to the maximum penalties proposed in the Bill. Mr David Vaile, Chair of the Australian Privacy Foundation, said:
In the European and US context it was eventually found that there was no basis for that, and it was used to lower the benchmark and lower the standards of protection for half a billion people in Europe.
2.47 Similarly, Mr Justin Warren, Chair of Electronic Frontiers Australia, stated that ‘often these safe harbour mechanisms are used as a way of avoiding consequences rather than as an incentive towards good behaviour’.
2.48 Ms Rachel Bailes, Head of Policy at the Australian Information Industry Association (AIIA), expressed a different view, however, stating that a properly drafted mechanism would incentivise good behaviour:
A properly drafted safe harbour regime wouldn’t act as a hammock or a get-out-of-jail-free card. Rather it’s the other side; it’s the carrot, the incentive, for organisations to take a good hard look at how their staff, organisational levels and boards are functioning and to leverage fantastic tools, such as the Essential Eight and other cybersecurity frameworks. Rather than that safe harbour being an opportunity to sit back, it’s an opportunity to lean forward and have a look at the legislation. Rather than just going, ‘We better make sure we never fall victim to a data breach,’ it’s about being resilient and cybersecure by putting practical steps in place so that you can satisfy that safe harbour.
2.49 Several submitters—such as the Tech Council of Australia and AIIA—contended that businesses need more clarity about the grounds on which the Commissioner might find a regulated entity liable for the imposition of a penalty. The former submitted that this lack of clarity is particularly acute where an entity has been the victim of a cyberattack. It added:
Clarity is not just important for industry certainty, it can also help incentivise good cyber and privacy practices, and encourage disclosure of data breaches which is a positive behaviour that helps keep the community safe by ensuring there is an effective response to incidents as they are unfolding, and by learning from them once they are concluded.
2.50 The Australian Banking Association observed that, at present, there is not even any caselaw on the application of the penalty provision in section 13G of the Privacy Act:
In the current Facebook matter, the Office of the Australian Information Commissioner…has taken a broad interpretation of how civil penalties should be applied for serious and repeated privacy breaches and the penalty sought would far exceed $50 million.
2.51 The AGD acknowledged concerns about the maximum penalties proposed in subsections 13G(2)-(3) but submitted that these penalties will not apply in all circumstances:
Although the Bill proposes to increase the maximum penalties that can apply under the Privacy Act, a court would retain discretion to determine a penalty which is appropriate and proportionate to the seriousness of the misconduct and harm or potential harm. The court may consider factors such as the nature and extent of the contravening conduct, the damage or loss suffered, the size of the contravening entity and whether the entity has previously been found to have engaged in similar conduct.
Legislative terminology
2.52 Some submitters and witnesses highlighted key terms within proposed subsections 13G(1)-(3) of the Privacy Act, which they argued are uncertain, including the terms: ‘benefit’, ‘serious’, ‘repeated’, ‘turnover’ and ‘breach turnover period’.
2.53 Mr Vaile said that ‘there are very few legal precedents in this area, very little court analysis of the meaning of particular provisions, because there is no easy way to get into court’.56 Reinforcing this point, Ms Samantha Floreani, Program Lead at Digital Rights Watch, pointed out:
…[N]ot a single penalty has been imposed under the Privacy Act since the provision came into effect in 2014. The OAIC has only sought a penalty in one case, against Facebook, which is ongoing.
2.54 The Law Council suggested that the terminology has been inappropriately adopted from the Consumer Law, without regard to the nuances of the privacy regime and the types of harms it seeks to address.
2.55 With respect to the term ‘benefit’, for example, the Law Council argued that the potential ‘benefit’ to a corporation resulting from serious or repeated data mismanagement is not as clear as it might be under the Consumer Law:
…the reference to ‘benefit’, as proposed to be inserted into section 13G of the Privacy Act, will likely need additional discussion and clarity, as it is currently unclear how one would determine the benefit obtained from a breach of the Privacy Act. The Law Council cautions that penalty and benefit calculations may, once formalised, be utilised as loss quantification frameworks in civil claims and class actions. The Law Council accordingly suggests that consideration be given to reframing section 13G to reflect the harm caused by serious privacy infringements, rather than the value of the benefit obtained by the breaching entity.
2.56 The BCA also questioned use of the term ‘benefit’ in the Bill:
These penalties are being introduced in the context of cyberattacks affecting organisations across Australia. But for cyberattacks, the logic of deriving penalties through looking at ‘benefits’ (or, where these can’t be determined, turnover) is nonsensical. The ‘benefits’ an entity derives from being the victim of crime can only be measured in the negative—through lost reputation, customers, revenue, intellectual property, or other assets, and the costs of remediating and mitigating the fallout.
2.57 In evidence, the AGD also discussed how the mechanism in proposed subsection 13G(3) might operate, with particular attention to determining the value of a ‘benefit’. One official explained that there is a difference between a privacy breach and a cyberattack, which the proposed provision is seeking to consider: however, ‘there will be some circumstances where there just isn’t a benefit, and that’s when the maximum penalty of $50 million will apply’.
2.58 In a similar vein, the Commissioner contemplated a scenario in which there was a malicious hack where the ‘benefit’ to the regulated entity would need to be assessed:
[This] may be difficult to determine…[T]here are likely to be submissions by the entity that’s been breached to say that the concept of benefit doesn’t arise in the circumstances…in which case the maximum of $50 million may be operable. I need to stress: a court needs to assess the amount of penalty to be provided. It doesn’t necessarily flow that $50 million will be what’s awarded. Currently, section 13G of the Privacy Act is subject to section 80 of the regulatory powers act, which provides that the court must take account of all relevant matters, including the circumstances of the contravention, the nature and extent of any loss or damage suffered because of the contravention and whether the entity has previously been found to have engaged in similar conduct.
2.59 Ms Kate Pounder, Chief Executive Officer of the Tech Council of Australia, also agreed with the AGD that there are distinctions to be made in the application of the proposed maximum penalties:
When determining the penalties, the questions are: has there been a breach of the act; what is the nature of that breach—is it serious, is it repeated; and did the company take reasonable steps to prevent it? We can see that, where a company has intentionally tried to do the wrong thing, all of those answers may readily flow from each other, but in the case of a malicious hack we have to ask those questions very carefully. Firstly, a company can be the victim of a malicious cyberattack, and we know from the information that the commission is reporting that about two-thirds of the mandatory data breaches they receive are the result of a malicious hack. The company may not have actually breached the Privacy Act when that attack has occurred, firstly because cyber incidents don’t necessarily result in a data breach and secondly because the data breach itself may not have been a breach of the Privacy Act. It’s important not to lose sight of that distinction.
Secondly, when we think about the sophistication of some of the state-based actors or significant criminal syndicates, there can be some very sophisticated types of cyberattacks where a company may well have taken a number of reasonable steps, such as having the right, being legally required to hold the data in the first place or maintaining it securely. They may have very sophisticated systems, security and penetrating testing, or internal cybersecurity teams that are constantly monitoring for either errors or attacks. They may have trained all their staff. They may have detected an incident very quickly and instantly notified authorities and started cooperating with them—yet still they may have had a terrible attack. When we question whether there has been a breach of the act—how serious it was, if it was repeated, and whether they took reasonable steps—all of those factors are very material. They should, therefore, also be material to the question of the right penalty.
‘Serious interference’ or ‘repeated interference’
2.60 The majority of submitters and witnesses focussed on the terms ‘serious interference’ and ‘repeated’ interference in proposed subsection 13G(1) of the Privacy Act, submitting that this provision should be amended or reconsidered. The Law Council highlighted:
…the terms of ‘serious interference’ and ‘repeated interference’…are not defined, and unlike other sections of the Privacy Act, are not supported by a non-exhaustive list of factors that would give rise to such a contravention.64
2.61 DIGI argued that, in view of the substantial penalties proposed under the Bill, what constitutes a serious or repeated interference with privacy must be better defined:
…their scope and application need to be exceedingly clear, and greater clarity will ultimately assist APP entities’ compliance efforts. We are concerned that the Act does not define a ‘serious’ or ‘repeated’ interference with privacy, creating uncertainty as to the circumstances in which this civil penalty provision may apply. To provide APP entities with greater clarity as to the potential application of the amended penalty provision, we submit that the Bill be amended to include a definition of both a ‘serious’ and ‘repeated’ interference with privacy that covers only the most egregious breaches of the Act.
2.62 The Law Council acknowledged that the OAIC has published guidance, identifying factors and conduct which it would take into account when deciding whether to seek a civil penalty under existing section 13G of the Privacy Act. However, ‘while such guidance material is helpful to providing a degree of clarity, these key threshold terms have not had the benefit of substantive interpretation through case law’.
2.63 Rather than amend the definitions in section 13G, the BCA suggested that greater clarity could be provided by amending section 80U of the Privacy Act, which sets out factors to be taken into consideration when a court determines pecuniary penalties. It argued that the following factors should be included:
? Whether a breach was the result of deliberate, reckless, or negligent behaviour on the part of the regulated entity;
? Whether a regulated entity was compliant with recognised or prevailing standards for security and had robust privacy frameworks in place;
? Whether an entity acted promptly to investigate the matter, sought appropriate expert assistance, and worked in good faith to address harms to citizens; and
? Whether an entity disclosed the breach at an appropriate time to mitigate damage to all involved.
2.64 AGD representatives noted that the Bill seeks to amend ‘quantum’ under section 13G of the Privacy Act and does not touch upon the existing terminology of ‘serious interferences’ or ‘repeated’ interferences:
It’s not affecting the existing obligations under the act, nor is it affecting the way in which, in cases of serious or repeated breaches where the commissioner is of the view that civil penalties are warranted, she would go to the court to seek those, and it would be a matter for the court to determine, in the circumstances of that case, what would be appropriate.
2.65 In relation to what might constitute ‘serious interferences’ or ‘repeated’ interferences, the AGD acknowledged that the OAIC already provides guidance on these matters but recognised that it would be appropriate for the identified factors to be updated on passage of the Bill. Further:
Another one of the issues that we are considering as part of the Privacy Act review is whether the provision could be made clearer. One of those options might be through guidance. Another idea might be to take the guidance which the OAIC has done and specify those factors in the provision itself. They’re all options that we’re currently considering.
Enforcement powers
2.66 As noted by the Attorney-General in his second reading speech, the Bill would provide the Commissioner with ‘a suite of improved and new powers to resolve privacy breaches efficiently and effectively’.70 This section discusses two of the proposed powers and the related issue of OAIC resourcing.
Extraterritorial operation
2.67 Item 10 in the Bill would repeal paragraph 5B(3)(c) of the Privacy Act to remove the requirement for an organisation or small business operator to collect or hold personal information in Australia or an external territory, before or at the time of the act or practice in question, to have an ‘Australian link’.
2.68 Some submitters welcomed this proposal which would extend the operation of the Privacy Act to overseas organisations and small business operators who ‘carry on a business’ in Australia. Electronic Frontiers Australia submitted that ‘it is right and proper that Australians should expect data about them to be kept safe no matter how it came to be in the possession of an organisation’.
2.69 Digital Rights Watch argued that the repeal of paragraph 5B(3)(c) would make the Privacy Act ‘more fit for purpose in the global internet economy’ and ‘make it harder for foreign companies to avoid meeting the requirements of the Privacy Act’.
2.70 Similarly, CHOICE viewed the current provision as ‘an unfair loophole that means some international corporations may be exempt from adhering to critical privacy protections’.
2.71 Some submitters did not, however, support the proposed repeal of paragraph 5B(3)(c). The Law Council expressed its concern that ‘there is no balancing reform that would limit the effect of the Privacy Act to information that has some connection with Australia’. It explained:
…removing paragraph 5B(3)(c), without replacing it with any other provision, may have broader implications and consequences than is intended. Repealing this paragraph would likely not limit the extraterritorial application to personal information ‘from a source in Australia’ as envisaged in the Explanatory Memorandum. Rather, this repeal could have the unintended effect of being applicable to all foreign organisations operating in Australia for all their privacy practices, including those that affect citizens of other nations who do not have any link to Australia, because the amendment would mean that the threshold to satisfy the ‘Australian link’ is that the foreign operation carries on business in Australia.
2.72 Both the BCA and DIGI agreed with this assessment. DIGI commented that ‘it is not clear why Australian laws seek to regulate the management of personal information that has no direct connection with Australia or with Australians’. The BCA added that the proposed provision also ‘risks bringing Australian laws into conflict with requirements made in other jurisdictions’.
2.73 On this point, the Law Council submitted:
…it will be important to understand the scope and impact of the proposed changes and consider the potential for conflicts of laws and unintended legal consequences for sectors that are already regulated, either under their applicable home data protection regimes or industry-specific regulations that authorise and regulate their sphere of operations in Australia.
2.74 The OAIC supported the repeal of paragraph 5B(3)(c) of the Privacy Act, which it considered would, among other things, ‘simplify the requirements around the circumstances in which the Privacy Act extends to an act or practice of an organisation outside Australia’.
2.75 In evidence, the AGD affirmed its view that ‘the nexus that comes from carrying on a business provides a useful nexus’ for the purposes of section 5B of the Privacy Act, adding that this approach is consistent with at least one international jurisdiction:
The focus, if that second limb is removed [in paragraph 5B(3)(c)], is that the nexus in that circumstance would be to demonstrate that the foreign organisation is carrying on a business in Australia. That mirrors the approach taken to foreign organisations in relation to competition and consumer law in Australia, and we know that, while it is framed slightly differently, the New Zealand Privacy Act has a similar way of dealing with that type of extraterritorial provision.
General Data Protection Regulation
2.76 Several submitters did not agree with the OAIC that the proposal would simplify the circumstances in which organisations or small business operators overseas would be subject to Australian privacy law. Many referenced article 3 of the GDPR which deals with extraterritoriality. DIGI summarised the effect of this article, as follows:
…the EU’s regulation…applies to (1) individuals that are EU residents, (2) organisations that are based in the EU, or (3) organisations based outside the EU that monitor the behaviour of EU citizens. This still enables compliance from foreign entities, while still requiring a connection to the EU. This is important as it provides foreign companies with a degree of clarity as to which organisation is the responsible international regulator.
2.77 The Law Council, the Australian Privacy Foundation and Privacy 108 Consulting argued that the Bill should align with the approach adopted by the GDPR. The Law Council considered that this would address its concern with the repeal of paragraph 5B(3)(c), by allowing for the relevant personal information to have some link with Australia for the attachment of Australia’s privacy law.
2.78 While the Law Council suggested that the Bill could alternately be amended to include a balancing limitation, it considered that the extraterritorial operation of the Privacy Act is a matter best considered as part of the Privacy Act Review. In addition:
…[A]lthough it is not a bar to enacting legislative change now, the Law Council notes that the effect of existing subsection 5(3) of the Privacy Act is a significant issue in a current appeal before the High Court of Australia in Facebook Inc v Australian Information Commissioner.
Information gathering powers
2.79 The Notifiable Data Breaches (NDB) scheme requires regulated entities to notify affected individuals and the Commissioner if an entity has reasonable grounds to believe that an ‘eligible data breach’ (as defined in section 26WE) has occurred.
2.80 Proposed section 26WU of the Privacy Act would give the Commissioner the power to require the giving of information, the production of documents or the answering of questions in relation to actual or suspected ‘eligible data breaches’, or an entity’s compliance with the notification requirements.
2.81 The OAIC submitted that the proposed section would help to inform the Commissioner in the exercise of her functions and powers:
[The information gathering powers] will help to ensure the OAIC has a comprehensive knowledge of the information compromised in a breach, and other relevant facts and circumstances, to assess the particular risk of harm to individuals, and whether the recommendations about the steps that individuals should take in response to the eligible data breach outlined in a notification are sufficient.
2.82 CHOICE supported enabling the Commissioner to access, request and assess a regulated entity’s compliance with the NDB scheme, pointing out that the scheme ‘relies on the discretion of businesses to disclose data breaches and individual harm’.
2.83 However, the BCA considered that the proposed power should be ‘bounded by some form of time-based requirement’, such as expiration of a 30-day assessment period after first notification to the Commissioner of an actual or suspected data breach:
Businesses may not have notified Commissioner as they actively investigate and determine the extent of the breach. Information requests at this time may well be at best a distraction and at worst actually cause the relevant entity to take its focus away from the main objective of securing the breach and protecting data subjects. It is important to ensure that disclosure is well managed and avoids confusion or misinformation. Any regime that is intended to cause early disclosure should be carefully considered when compared with the harm that may occur either to stakeholders as a result, or to the effective investigation into or remediation of the breach itself.
OAIC funding
2.84 Many submitters expressed concern about the proposed expansion of the OAIC’s enforcement powers without a commensurate increase in resourcing.89 The Law Council argued:
The OAIC must be sufficiently resourced to perform and implement the proposed enhanced enforcement powers, while also discharging its other key statutory functions and activities, including providing information to the public, organisations, and agencies about their rights and obligations under the Privacy Act.
2.85 Similarly, Digital Rights Watch commented on the need for requisite and stable funding, which it argued is fundamental for the OAIC to be a strong and effective regulator:
The additional $5.5 million allocated to the OAIC to investigate the Optus data breach in the most recent budget does not meet the ongoing funding needs of the OAIC. The digital ecosystem and privacy issues that come with it are only increasing in complexity, severity and frequency. The OAIC urgently needs increased funding that is not tied to one specific investigation to be able to meet its growing responsibilities.
2.86 Dr Kemp agreed, submitting:
…an active, properly funded privacy regulator is essential if we are to reduce the scope and frequency of data breaches rather than simply turning to the regulator for the ‘clean-up effort’. While major data breaches obviously dominate recent headlines in Australia, it is also important to remember that many substantial privacy harms are imposed on individuals even where there is no eligible data breach. Australians currently face long delays in having their complaints addressed by the OAIC and some apparently clear and long-standing breaches of the APPs have not been addressed at all.
2.87 The AGD noted the additional funding provided to the OAIC in the Federal Budget 2022-2023, as well as $17 million over two years to support the OAIC in its response to the increasing complexity of privacy complaints, and to undertake effective enforcement action and litigation.93 Officials further advised:
[AGD is] always carefully looking at the resourcing requirements and the government is mindful of that. We’re very conscious that the Privacy Act review could indeed look at the approach and the way in which the office operates and how we can support that, so there will be further consideration there.
2.88 When asked about resourcing levels, the Commissioner stated that the Bill would create efficiencies for the OAIC and does not present additional resources imposts. However, Ms Falk advised:
I am continuing to be in discussions with government around the resourcing requirements of the office into the future, noting the significant issues facing Australian businesses, not only around data breaches but around complexity of information-handling practices.
2.89 With reference to the recent funding to investigate the Optus data breaches (see paragraph 1.12), the Commissioner stated:
…[W]e will always take the regulatory action warranted in the circumstances. On this occasion, I have gone to government, I have sought the funding and it has been provided. I will continue to raise the issue of the need to have access to a funding base that takes account of the need to bring litigation.
Information sharing powers
2.90 The Bill would provide information sharing powers to the OAIC and the ACMA. Some submitters commented on these proposed provisions.
Privacy Act
2.91 Proposed section 33A of the Privacy Act would enable the Commissioner to share information or documents with a ‘receiving body’ (as defined in proposed subsection 33A(2) of the Act) for the purposes of the Commissioner or the ‘receiving body’ exercising their powers or performing their functions or duties.
2.92 Submitters—such as the OAIC and the Australian Federal Police (AFP)—explicitly supported the proposed provision. The AFP considered that proposed section 33A would ‘contribute to better outcomes for affected individuals and entities’,98 while the OAIC emphasised the benefits of efficient and effective regulatory cooperation:
The Bill will provide clear circumstances in which the Commissioner may share information with other bodies where necessary, including law enforcement bodies, an alternative complaint body and State, Territory or foreign privacy regulators. These measures will help to ensure that duplicative investigation and regulatory responses – both domestically and globally – are avoided and limited resources are directed appropriately.
2.93 The Law Council expressed its concern with the broad power that it argued is subject to limited safeguards:
Beyond the restriction that the information or documents must have been acquired by the Commissioner in the course of exercising powers, or performing functions or duties, under the Privacy Act, the only other condition imposed with respect to the Commissioner’s decision to share this information, per proposed paragraph 33A(3)(b), is that:
? …the Commissioner is satisfied on reasonable grounds that the receiving body has satisfactory arrangements in place for protecting the information or documents.100
2.94 The BCA agreed that the safeguards in proposed section 33A are insufficient, submitting that affected organisations—and therefore individuals also—will be unaware of the sharing and use of personal information:
…at a minimum, the information sharing powers be amended to require the OAIC to inform the relevant organisation that both the sharing is occurring and for what purpose. This will allow the organisation to provide additional or supporting context to the receiving agency, if needed…The proposed information sharing powers could also create a double jeopardy risk for entities where information is shared between regulators under broadly defined powers. In addition, we are concerned that information gained in one context, when provided to another agency for an associated but perhaps different context, may be incorrectly relied upon.
2.95 Amazon Web Services shared the Law Council and the BCA’s concerns, submitting that proposed section 33A is overly broad, not subject to appropriate safeguards, and may cause significant privacy concerns for organisations and the wider community:
The effect of the powers under section 33A is such that an organisation could share information regarding an eligible data breach with the Commissioner, who may then share that information (including the personal information of Australians) with any “receiving body” for any purpose of the receiving body—including to pursue investigations or matters that are not related to the data breach in question. This could all occur without the consent or knowledge of the organisation, or any affected individuals. It is also concerning that any of this information, especially personal information, may be given to a foreign authority without the consent or knowledge of the organisation or affected individuals.
2.96 The Law Council identified an additional concern with the proposal to allow broader information sharing: there is a significant risk that the regime proposed under proposed section 33A may act as a deterrent for entities that would otherwise pursue early and voluntary engagement with the regulator:
The sharing of information by the Commissioner with other bodies…has the potential to undermine the voluntary aspects of OAIC’s regulatory approach, which may be necessary to mitigate or resolve privacy issues at an early stage. The risk of disincentivising voluntary reporting might be compounded by the indefinite, and potentially expansive list of bodies authorised to receive information…The Law Council suggests consideration be given to amending this provision to provide an exhaustive list of relevant bodies authorised to receive information under the Privacy Act.
Disclosure in the public interest
2.97 Proposed subsection 33B(1) of the Privacy Act would give the Commissioner a discretion to disclose information acquired in the course of exercising powers, or performing functions or duties, under the Act if the Commissioner were satisfied that it is in the public interest to do so. A list of mandatory and discretionary factors that would need to be taken into consideration are set out in proposed subsection 33B(2).
2.98 The OAIC submitting that the proposed provision would provide clear authority for the publication of information, if it is in the public interest. It argued that publication would ensure that Australians are informed about privacy issues and reassured that the OAIC is discharging its duties.
2.99 The BCA expressed its concern with the risk of disclosure prior to completion of an investigation: ‘this is completely contrary to how the OAIC currently conducts investigations and contrary to how most regulators conduct their investigations’. Further, it voiced concerns about the ‘blanket power’ which does not limit the nature of information that can be disclosed:
…[D]isclosed information might include any information supplied to the Commissioner in the course of an investigation, regardless of whether that information is contested as to accuracy, completeness or relevance.
2.100 The BCA submitted that proposed section 33B(1) does not contain sufficient safeguards and, similar to the Law Council’s concerns in relation to information sharing powers, may discourage companies from disclosing matters to the Commissioner, with adverse effect:
There is no requirement of prior consultation with the person or entity that provides the relevant information or to whom the information relates. There is also no requirement for the Commissioner to consider proportionality or to balance benefit to the person or entity that provide the relevant information or to whom the information relates against, merely to “have regard” to the matters proposed [in] section 33B(2). This could lead to situations where the OAIC publishes information that will allow further attacks to be made against an organisation, if the OAIC fails to understand the nature of the information it is releasing. Moreover, disclosing during an investigation information obtained as part of the investigation has the potential to undermine, compromise and delay any such investigation.
Chapter 3
Conclusions and recommendations
3.1 The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Bill) comprises the Australian government’s earliest possible and interim response to recent large-scale data breaches.
3.2 The committee recognises that millions of Australians have been harmed by the hacking of and subsequent criminal release of personal and other sensitive data that individuals provided to government and business for legitimate reasons.
3.3 The committee supports the Australian government, its departments and agencies in developing comprehensive and robust policies and measures to combat cybercrime, to protect personal and other sensitive data, and to assure Australians that the security of their personal information is of the utmost importance.
3.4 The Attorney-General’s Department (AGD) review of the Privacy Act 1988 (Privacy Act) was referenced throughout the inquiry, with several suggestions for matters that should be included as part of that holistic review.
3.5 The committee acknowledges that the AGD is aware of these suggestions, many of which are already being considered. While not part of this inquiry, the committee especially notes data minimisation, safe harbour mechanisms for compliant regulated entities, compensation for identifiable harms and civil actions (such as a statutory tort for serious invasions of privacy), as particular matters for consideration.
3.6 AGD advised that the Privacy Act review is nearing completion, with the Australian government keen to introduce reform to Australian privacy law. The committee agrees that this reform, more than 30 years after introduction of the Privacy Act and in a dynamic digital landscape, is long overdue. The committee would welcome a five-year statutory review of the privacy law reforms, following completion of the Privacy Law Review.
3.7 The committee welcomes the Australian government’s attention to modernising and strengthening Australian privacy law. With this report, the committee makes recommendations that are aimed at enhancing these objectives. In particular, the committee accepts submitters’ and witnesses’ views that certain provisions in the Bill require further examination.
3.8 Strictly speaking, proposed subsection 13G(1) of the Privacy Act is a technical amendment in the Bill, however, submitters and witnesses raised concerns about the clarity of two key definitions: ‘serious interference’ and ‘repeated’ interference. Given the proposed quantum for contraventions of this provision, and notwithstanding that the Office of the Australian Information Commissioner (OAIC) has provided some guidance on the matter, the committee agrees that the legislation should provide more clarity about what would comprise a ‘serious interference’ and a ‘repeated’ interference.
Recommendation 1
3.9 The committee recommends that the Attorney-General’s Department, as part of its review of the Privacy Act 1988, recommend amending section 13G of the Act to define the terms ‘serious interference’ and ‘repeated’ interference and that the Australian government implement such a recommendation.
3.10 The committee received considerable evidence on the maximum penalties in proposed subsection 13G(3) of the Privacy Act, as well as the practical operation of that provision.
3.11 The committee is concerned about the proposed mechanism for determining the maximum penalty for a regulated entity in the event of a data breach. In its view, the difficulty in identifying and determining the requisite ‘benefit’ has the potential to lead to perverse outcomes. The committee suggests that the incorporation of the term ‘benefit’ from the Competition and Consumer Act 2010 has not been helpful. While the test of ‘reasonable steps’ might mitigate the operation of the proposed provision, the committee considers that the AGD should further consider the way in which this provision has been drafted.
3.12 In principle, the committee supports the proposed repeal of paragraph 5B(3)(c) of the Privacy Act. As highlighted by Electronic Frontiers Australia, ‘Australians should expect data about them to be kept safe no matter how it came to be in the possession of an organisation’.1
3.13 The committee acknowledges, however, the argument raised by multiple submitters and witnesses—including the Law Council of Australia—that the proposed provision has been too broadly drafted and must retain some connection with Australians’ information, as is the case in the European Union’s General Data Protection Regulation.
Recommendation 2
3.14 The committee recommends that the Attorney-General’s Department, as part of its review of the Privacy Act 1988, examine the appropriateness of section 5B providing for any additional ‘Australian link’.
3.15 The Australian government provided additional funding to the Office of the Australian Information Commissioner in the Federal Budget 2022-2023. The committee heard that there are concerns about the OAIC’s ability to perform its functions without ongoing and stable funding. However, the Commissioner assured the committee that both the OAIC and the AGD closely monitor the situation and to date, extra funding has been provided as and when required.
Recommendation 3
3.16 Subject to the above recommendations, the committee recommends that the Bill be passed.
Additional Comments by Senator Paul Scarr
1.1 I agree with each of the three recommendations of the committee detailed in the report.
1.2 In relation to the review of the Privacy Act 1988 (the Privacy Act) referred to in paragraph 3.4, I support the consideration by the Attorney General’s Department of the matters referred to in paragraph 3.5.
1.3 There is an additional matter which, in my view, should be the subject of a recommendation; namely, the drafting of the maximum penalty provision.
1.4 I note the discussion in the report in relation to the increase in maximum penalties and the structure of the maximum penalties proposed to be inserted in section 13G for body corporates. In my view, the report does not go far enough in this regard. Numerous stakeholders have raised concerns with respect to the drafting of this section and rightly so.
1.5 For ease of reference, I quote the proposed wording:
(3) The amount of the penalty for [a serious or repeated interference of privacy] is an amount not more than the greater of the following:
(a) $50,000,000;
(b) if the court can determine the value of the benefit that the body corporate, and any related body corporate, have obtained directly or indirectly, and that is reasonably attributable to the conduct constituting the contravention – 3 times the value of that benefit; and
(c) if the court cannot determine the value of that benefit – 30% of the adjusted turnover of the body corporate during the breach turnover period for that contravention.
1.6 The proposed wording is problematic for a number of reasons:
(a) It presupposes that there has been some benefit generated through the conduct constituting the contravention (it refers to ‘the benefit’ in paragraph (b) rather than ‘any benefit’). However, in circumstances where a body corporate has been the subject of a cyber-attack and is found to have engaged in conduct constituting the contravention because it was (for example) wilfully reckless or grossly negligent in protecting the personal information/data, what is the benefit that the body corporate received? There is no readily identifiable benefit. (It is noted that one could possibly attempt to construct a ‘benefit’ based on the additional cost that the body corporate would have incurred had it had in place sufficient protections to prevent the hack, but this is a somewhat torturous exercise, and it is not clear that the term ‘benefit’ is intended to cover such cost savings).
(b) The issue in paragraph (a) leads to the observation that the maximum penalty clause makes no distinction between circumstances where a body corporate
may be the subject of a cyber-attack and therefore an unwilling participant in the privacy breach, as opposed to a body corporate that is a willing participant (or actively initiates) a privacy breach for financial benefit. (c) There is a potentially precipitous escalation of the maximum penalty to 30 per cent of adjusted turnover which could be disproportionate because there is an issue of calculation of the benefit.
(d) There is no tiering of the penalty to account for the spectrum of body corporates (based on size and purpose) that could be subject to the penalty which means that a small to medium sized enterprise/charity is subject to the same maximum penalty as a very large multinational company which should have the most sophisticated cyber defences available.
Recommendation 1
1.7 Given the amount by which the existing penalty is proposed to be increased, it is strongly recommended that the maximum penalty clause be reconsidered to address the above issues.
Senator Paul Scarr
Deputy Chair
Additional Comments by Senator David Shoebridge
1.1 There was significant concern amongst stakeholders and witnesses regarding the structure of the proposed new penalty regime. While there was near universal support for increasing the maximum penalty to up to $50 million, the lack of a tiered penalty regime and the drafting of the amendments to section 13G of the Privacy Act 1988 created significant weaknesses in the privacy regime.
1.2 The proposed model that seeks to link the maximum penalty for breaches to the benefit received through the privacy breach was modelled from competition law. There is common sense in linking maximum penalties to the benefit received when the offense in question is a breach of competition laws. When corporations engage in practices to manipulate markets or engage in other anti-competitive conduct the returns can be in the billions of dollars. For this reason, a maximum fine in the tens of millions of dollars would be ineffective.
1.3 In the privacy space, the benefit that corporations obtain from privacy breaches is far more ambiguous. For many entities there is a net loss from privacy breaches, think for a moment of the reputational damage currently being done to Optus and Medicare from their data breaches. It appears that in neither of these cases was the privacy breach intentional, the ‘benefit’ if there was one was historic underinvestment in cyber security.
1.4 It is not clear from the drafting if the ‘benefit’ is the net benefit received. It is also not clear how the proposed alternative maximum fine, of up to one-third of the annual turnover, will be engaged where there is no benefit or the benefit is hard to determine. These difficulties arise from taking provisions designed for one part of the law and unthinkingly applying them to this. There is a need for the government to closely consider these drafting issues as a matter of urgency.
1.5 As noted above, the proposed increase to a maximum $50 million penalty is broadly supported, including by the Greens. However, by removing the existing penalty and having only a one-size-fits-all offense with a maximum penalty of $50 million leaves the regulator with only one button to push, the nuclear button with a potentially financially disastrous fine. As the majority of contributors to the inquiry made clear, there is a need for a far more nuanced approach with tiered penalties. For that reason, there would be real benefit in agreeing to the larger maximum fine for serious or repeated breaches then keeping the existing penalty for lesser breaches which are not necessarily serious or repeating.
1.6 When it comes to resourcing, it was abundantly clear from this inquiry that the Office of the Australian Information Commission is seriously underfunded. As the Commissioner noted in her evidence, her UK equivalent regulator has 10 times the staff. The Commissioner also noted that the $5.5 million obtained to undertake her investigation into just one breach, the Optus breach, fairly represented what a complex investigation would cost. So it is fair to ask how the office will properly investigate the raft of other data breaches already seen, not least Medibank.
1.7 With a total budget of just over $33 million annually, from which all of the FOI and privacy work must be undertaken there is an obvious lack of practical capacity for the OAIC to undertake any more than one serious privacy breach investigation at a time. This lack of financial capacity is even clearer when you consider that the FOI work is already chronically delayed and underfunded causing year long delays in resolving reviews. The end result may well be that the Parliament agrees to tougher penalties but the government starves the regulator of the funds to ever seriously enforce them. That at best is a pyrrhic victory for data security.
Senator David Shoebridge
Greens Senator for New South Wales
The passage of the legislation has been covered in the Innovation AUs article ‘Flawed’ data breach penalty laws pass Parliament which provides:
Legislation that significantly increases fines against companies for privacy breaches has sailed through Parliament with support from the Opposition, despite enduring concerns around the operation and practicality of the penalty regime.
Companies will now be subject to fines of $50 million, three times the value of any benefit obtained through the misuse of data, or 30 per cent of a company’s adjusted turnover in the relevant period, whatever is larger, for serious or repeated privacy breaches.
The change, which was prompted by the Optus data breach and precedes further structural changes to the Privacy Act, brings the maximum penalties available to the Office of the Australian Information Commissioner (OAIC) in line with newly minted consumer law.
The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 passed the Senate on Monday afternoon after an hour-long debate and was later given the tick of approval by the House of Representatives.
Both the Opposition and Greens moved amendments in the Senate to address concerns raised by multiple stakeholders and witnesses at the Legal and Constitutional Affairs Legislation Committee inquiry earlier this month but were unsuccessful.
The concerns raised go to the lack of a definition for ‘serious’ and ‘repeated’ interferences of privacy in the bill, as well as the inclusion of terms like ‘benefit’ in the penalty regime which assumes companies always benefit from a privacy interference.
Stakeholders, including Australia’s three technology industry groups, also recommended tiering of penalties to ensure small to medium-sized businesses and charities aren’t subject to the same penalties as multinationals.
The government rejected the amendments on Monday but committed to addressing the concerns as part of its ongoing review of the Privacy Act, which the Attorney-General’s Department (AGD) is expected to finish before of the year.
“Reforms to clarify key definitions in the Privacy Act, developed a tiered penalty regime, provide greater clarity on the applications of penalties and enhance security guidelines are being considered through the Privacy Act review,” Agriculture minister and Labor senator Murray Watt said.
“It’s appropriate that these reforms be considered holistically in these processes given the range of complex and interconnected issues and other work across government.”
Greens Senator David Shoebridge, who supported the bill “with reservations”, said the absence of clear definitions and linking the maximum penalties to benefit “expose significant weaknesses in the government’s proposed model”.
“In the privacy space, the benefit that corporations may obtain from privacy breaches is in fact far more ambiguous than for many entities, and we’re seeing this play out at the moment with Medibank and Optus and others,” he said.
Senator Shoebridge said the operation of the penalty regime in the case of an unintentional privacy breach, where the benefit to an entity is at the very least unclear, if not “actually a net loss”, is as “clear as mud”.
“Those difficulties arise from taking provision that are designed for one part of the law, in this case competition law and unthinkingly cutting and pasting them and whacking them into privacy law,” he said.
“So, there is a very real need for the government to closely consider these drafting issue and do it as a matter of urgency.”
The reliance on benefit to determine the fine and the structure of the penalty regime could also see organisations that intentionally breach the privacy of individuals receive a smaller fine than those suffer an accidental breach.
Senator Shoebridge said it could similarly see the OAIC fall back on the $50 million “nuclear option” as it is the only realistic fine available, leaving the regulator “in an almost impossible situation”, particularly in the case of charities.
“The end result is that the Parliament might agree to these tougher penalties — and it looks they will — but the government has starved the regulator of the funds to serious enforce them,” he added.
“We might at the end of this have a pyrrhic victory for data security. We get a headline, we get a penalty that’s almost impossible to use because of the size and the scale of it, and we give it to a regulator which barely has the money needed to keep the lights on, let alone bring an actual prosecution in this space.”
Liberal senator Paul Scarr made similar recommendations for “where the legislation can be enhanced an improved”, but the Opposition ultimately supported the bill in its current form, having been given assurance its concerns will be be addressed.
In response to senator Shoebridge’s concerns, senator Watt said the bill “does not otherwise constrain the exercise of the court’s discretion to impose a penalty that is appropriate”, meaning that there is “some protection of an overwhelming fine” against small to medium-sized business and charities.
“The bill is an essential first step of the government’s agenda to ensure Australia’s privacy framework is fit for purpose and responds to new challenges in the digital era. Further reforms will be considered next year, following consideration of the AGD’s review of the Privacy Act,” he said.
“This bill is an important and pressing reform that will make sure penalties effectively deter the misuse of Australians’ personal data and will ensure Australia’s privacy regulator has the enforcement tools necessary to resolve privacy breaches efficiently and effectively.”