The Government’s new Bill will give the Privacy Commissioner sweeping new powers regarding Privacy Act non-compliance and the power to impose new, increased penalties for breaches of the Act and the Australian Privacy Principles. Currently, the Privacy Commissioner’s enforcement powers are limited. When the Bill comes into force, that will change.
Finally, the Federal Attorney General Mark Dreyfus has introduced a Bill to amend the Commonwealth Privacy Act. This follows years of consultation and review beginning with the ACCC’s recommendations in 2019.
In this first insight of our series on the Privacy Act, we are focusing on the greatly expanded role and powers proposed to be given to the Office of the Australian Information Commissioner (OAIC) and the now-daily role it will play in the privacy management of businesses with more than $3million in annual turnover.
The Old OAIC
Currently, the OAIC is a (relatively) toothless tiger. The OAIC is generally limited to ordering companies to cease offending conduct and it can only issue monetary penalties for egregious or wide-spanning breaches of the Privacy Act or Australian Privacy Principles (APPs).
The OAIC also has very a limited power to issue infringement notices (fines) to offending businesses without taking proceedings. Currently, the OAIC can only issue infringement notices for failures to provide information it requested for an investigation.
The New OAIC
Infringement Notices
As part of the proposed reforms, the OAIC would be able to issue infringement notices fining proprietary companies $19,800, or listed companies $66,000, for minor breaches of the Act. Some minor breaches that may attract these penalties are:
Having a privacy policy that doesn’t address all of the statutory requirements;
Failing to provide individuals with an easy way to opt out of direct marketing materials;
Improper handling of requests to correct personal information; and
Providing the Commissioner with a non-compliant or misleading statement regarding a data breach.
Tiered Penalties
The OAIC would also gain a discretion to instigate proceedings for either (or both of):
The existing civil offence of serious interference; or
The new, lesser offence for interference with privacy.
Theoretically, the OAIC could instigate proceedings for the new offence on behalf of a single individual’s privacy, with a possible penalty up to $626,000 for individuals or $3,130,000 for bodies corporate.
Emergency Powers
In the wake of the massive Optus and Medibank data breaches, the Bill proposes to give the OAIC a range of emergency powers. Following either a data breach or an emergency/disaster, the OAIC would be able to authorise disclosure to specified entities relating to the data breach or emergency. For example, the OAIC could temporarily permit an entity in the midst of a data breach to relay the details of those affected by the breach to government agencies to prevent misuse or fraud against the affected individuals.
In addition, at the Attorney General’s request, the OAIC may prepare and publish temporary APP codes that impose additional obligations based on urgent circumstances, such as the illuminating example given of regulating contact tracing information amidst a pandemic.
Takeaways
It remains to be seen how the OAIC would utilise these new powers. It is clear that if the Bill becomes law, subject organisations will have to have in place not only compliant privacy policies but importantly, also procedures to ensure they meet their obligations under the Act and the APPs for data collection, use, management and security. Increasingly, data breaches are becoming a case of “when”, not “if”. Organisations will have to know and comply with their obligations in the unhappy event that they suffer a privacy breach. The time to do that is now. Planning to get across the requirements in the midst of the drama of a data breach is a very bad plan indeed.
If you have any questions about the implications of these proposed changes and would like to future-proof your business, please contact Brett Cowell or Alex Dorrington in our Privacy & Data team.
This publication has been prepared for general guidance on matters of interest only and does not constitute professional legal advice. You should not act upon the information contained in this publication without obtaining specific professional legal advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication and to the extent permitted by law, Cowell Clarke does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting or refraining to act in relation on the information contained in this publication or for any decision based on it.