The amendments will provide the Commissioner with new powers including, but not limited to:
The Commissioner being provided with infringement notice powers brings the Australian regulation more in line with the UK legislation where the UK Commissioner can issue monetary penalty notices. Similarly the Federal Trade Commission has a different process but has a similarly quicker way of imposing penalties. It will be critical for businesses and organisations to understand their obligations otherwise they may be the subject of significant financial penalty, not to mention the reputational damage that comes with that.
The federal government has introduced amendments to beef up the Privacy Act.
Foreshadowed earlier this month following the Optus data breach, the amendments were introduced to the House of Representatives this morning by Attorney General Mark Dreyfus.
As promised, the amendments include higher fines for serious privacy breaches; a strengthened notifiable data breaches scheme; enhanced enforcement powers for the Australian Information Commissioner; and greater information sharing arrangements.
“The novel privacy challenges posed by the rise of digital platforms and the unprecedented volume and variety of data that these platforms collect from users underscores the importance of reforming our privacy laws,” Dreyfus said.
The current $2.2 million fines available to the Australian information commissioner are inadequate, with Dreyfus echoing statements by commissioner Angelene Falk that the fines must be more than “simply the cost of doing business”.
The new fines proposed in the legislation would be “not more than the greater of $50 million, three times the value of any benefit obtained through the misuse of the information, or, if the value of the benefit obtained cannot be determined, 30 percent of a company’s domestic turnover in the relevant period.”
The amendments to the notifiable data breaches scheme will empower the Australian information commissioner to assess an entity’s compliance with the scheme.
The commissioner will also have “new information-gathering powers in regards to the scheme’s reporting and notification requirements,” Dreyfus said.
“This is necessary to provide the information commissioner with a comprehensive understanding of the information compromised in a breach in order to assess the particular risks to individuals, and take actions such as issue a direction for the entity to notify individuals who have been affected by a data breach.”
The commissioner will also be given the power to publish notice about specific privacy breaches, “or otherwise ensure those directly affected are informed”.
The commissioner will have the power to compel entities to improve their practices, supported by information-gathering powers to conduct assessments.
New infringement notice powers will let the commissioner deal with non-compliant organisations, “without the need to engage in protracted litigation”.
The bill is also amending the Privacy Act’s extraterritorial provisions, so that “even if foreign organisations do not collect or hold Australians’ information directly from a source in Australia, they must still meet the obligations under the Privacy Act so long as they ‘carry on a business’ in Australia.”
Finally, information sharing will be bolstered in two ways.
The commissioner will have “an express power” to publish the determinations it makes following a privacy investigation, as well as updates into ongoing investigations.
There will also be a power to share information with enforcement bodies, other complaints bodies, privacy regulators; and “the Australian Communications and Media Authority will also be provided better powers to share information within government for enforcement purposes.”