What you need to know about privacy reforms in Australia | Media Pyro


Following the recent Optus and Medibank data leaks, the government has reaffirmed its commitment to privacy and data security reform by proposing tougher penalties for serious or repeated breaches of privacy.

October 26, 2022 in Privacy Amendment (Enforcement and Other Measures) Bill 2022 (Cth) was tabled in Parliament by the Attorney-General of Australia, Mark Dreyfuss.

It is clear that the draft law will be speedily considered by the government. After adoption, the bill will make changes to Privacy Act 1988 (Cth) (Privacy Act), which is also expected to be further reformed in the near future. In this article, we reveal the key changes proposed in the Bill and outline the steps that organizations bound by the Privacy Act should take now to prepare for the changes.

The main changes proposed by the draft law

The draft law proposes changes in five key directions which organizations subject to the Privacy Act, including foreign organizations doing business in Australia, need to understand:

1. Significantly increased penalties for serious or repeated violations of privacy

2. Enhanced data breach notification mode

3. New enforcement powers for the OAIC

4. Extended extraterritorial application of the Privacy Act

5. New information exchange for the OAIC and other regulators

1. Significantly increased penalties for serious or repeated violations of privacy

The bill would increase penalties under the Privacy Act for serious or repeated privacy violations to a much higher level than previously proposed or anticipated.

As we explored in a previous article, in October 2021 the previous Morrison government unveiled the Internet Privacy Bill.[1]which proposed increasing the maximum penalty for regulated entities involved in a serious or repeated invasion of privacy from A$2.22 million to the greater of:

  • 10 million Australian dollars;
  • in three times the amount of the benefit received by the business entity from illegal behavior; or
  • 10% of the organization’s turnover for the 12-month period that led to the violation.

In an apparent response to the recent Optus and Medibank data leaks in Australia, the bill would introduce maximum penalties for a regulated entity for serious or repeated privacy breaches, not limited to data breaches, but would apply to any serious or repeated failure. to comply with the Australian Privacy Principles (APPs) – to more of:

  • 50 million Australian dollars;
  • triple the value of the benefit received by the organization from the breach of confidentiality, directly or indirectly, if it can be determined by a court; or
  • 30% of the adjusted turnover of the organization (ie the sum of all supplies made by the company and its related corporate bodies) during the last 12 months or the relevant period of the breach, whichever is the longer.

In a global context, these proposed new penalties are higher than the maximum penalties currently applicable under the European Union’s General Data Protection Regulation (GDPR)[2].

2. Enhanced data breach notification mode

The current notifiable data breach regime under Part IIIC of the Privacy Act will be strengthened under the Bill to extend the powers of Australia’s privacy regulator, the Office of the Australian Information Commissioner (OAIC), search for information and evaluate regulated entities and their compliance with the regime.

Under the Notifiable Data Breaches Privacy Act, any regulated organization must notify affected individuals and the OAIC when a “justifiable data breach” occurs – a data breach involving the loss or unauthorized access to or disclosure of personal information that may result in serious harm to one or more affected persons. The regime necessarily requires a regulated entity to make its own assessment of a particular data breach and whether it is a “relevant data breach” that requires notification, rather than the OAIC being involved in such an assessment.

Currently, the OAIC’s power under the Privacy Act to obtain information about a “relevant data breach” from a regulated entity is limited to information that the entity discloses in its notice to the OAIC and statement to affected individuals. If the OAIC wanted more information, it would need to launch a formal investigation into the organization and the data breach, and exercise its powers to request information during that investigative process.

Perhaps reflecting the time-sensitive nature of the data breach, the Bill does not require the OAIC to give a regulated entity a reasonable period to provide the requested information, and the OAIC will also be entitled to retain the records provided for any period. the time required to assess the organization’s compliance with the reportable data breach regime.

To support these additional powers, the Bill proposes new powers for the OAIC to issue infringement notices without initiating legal proceedings if a regulated entity fails to comply with the OAIC’s request for information and records when required. On the contrary, civil sanctions apply.

3. New enforcement powers for the OAIC

The main new enforcement powers for the OAIC under the Bill include:

  • in a determination following an OAIC investigation into a privacy complaint against a regulated entity, the ability to order the organization to engage an independent advisor to conduct an external review of the conduct that was the subject of the complaint and the organization’s proposed remedy to the complaint, to consult with the OAIC and to share the results of the review with the OAIC; and
  • also in determining, following an OAIC investigation of a complaint and subject to a public interest test, the ability to require the regulated entity to prepare a public statement about the conduct that was the subject of the complaint and either make the statement public or provide it to affected persons.

4. Extended extraterritorial application of the Privacy Act

The “Australian nexus” test for foreign entities doing business in Australia will also be changed by the Bill so that foreign entities are more likely to be subject to the Privacy Act, including APPs and the notifiable data breach regime.

The amendments remove the “second part” requirement that a foreign entity also collects or stores personal information in Australia in order to have a connection with Australia. Currently, a foreign organization is subject to the Privacy Act if it carries on business in Australia AND collects or stores information from a source in Australia.

The change is said to reflect that in the digital age, organizations can use technology in a way that means they do not collect or store information directly from Australia but still do business here. It also clearly addresses what was a key issue in the OAIC’s proceedings against Facebook (Meta) in relation to the Cambridge Analytica breach.

The amended position also reflects similar extraterritorial application provisions in the Australian Consumer Protection Act under Competition and Consumer Protection Law of 2010 (Cth).

5. New information exchange for the OAIC and other regulators

The Bill gives the OAIC the ability to share information, including personal information, with other regulatory authorities, including state, territory and foreign privacy regulators, law enforcement agencies and alternative complaints bodies (such as the Australian e-Security Commissioner) for the purpose of carrying out – or enabling the host regulator for execution – his powers, functions or duties.

In particular, the Bill also gives the OAIC and the Australian Communications and Media Authority (ACMA) expanded powers to exchange information. The Explanatory Memorandum to the Bill states that this is intended to facilitate greater and more effective collaboration between the OAIC and the ACMA to enable the OAIC to better inform Australians about privacy issues.

Key Takeaways – What do businesses need to do now?

If you are an organization required to comply with the Privacy Act, you should take steps to ensure that your privacy practices and procedures are up-to-date and adequately reflect the risk that privacy compliance – and non-compliance – now poses to your organization in light of the significant enhanced penalties and additional enforcement options for the OAIC to apply once the Bill is passed.

This includes:

  • carrying out a data privacy and auditing understand when, where and how personal information is collected, stored, used and disclosed within the organization, and identify where compliance risks exist and confirm what steps are needed to mitigate those risks;
  • view and update your data breach response plan – including ensuring how to respond to the OAIC’s requests for information in light of the OAIC’s enhanced powers – and regularly reviewing its effectiveness and training its people on its implementation;
  • reviewing third party risks and contracts, including service contracts and outsourcing agreements that involve the storage and/or processing of personal information on behalf of the organization by third parties, to determine whether confidentiality and information security are being adequately respected; and
  • given your cyber risk position with your insurers to make sure you are appropriate cyber risk insurance coverage.

If you a a foreign entity doing business in Australia – even simply offering products and services to customers in Australia via a website accessible in Australia – seek expert advice from a local Australian lawyer to determine whether you have an “Australian nexus” and are therefore bound by the Privacy Act , programs and notifiable data breach mode.


Source link

Avatar photo

About the author

Media Pyro is a site giving interesting facts about acer brand products. We also Provide information about your online Privacy Laws.