WHO SHOULD READ THIS

  • Individuals, private sector and not-for-profit organisations with annual turnovers of $3 million or more per financial year; small businesses which handle personal information.

THINGS YOU NEED TO KNOW

  • Changes to Australian privacy laws may expose APP entities to hefty fines for misuse of personal information.

WHAT YOU NEED TO DO

  • Ensure your dealings with personal information comply with the Privacy Act; and
  • review your data breach response plan (or put one in place).

The Federal Government has announced major changes to the Privacy Act 1988 (Cth) (Privacy Act), including additional powers for the Office of the Australian Information Commissioner (OAIC), and tougher penalties for misuse of personal information.

The Attorney-General stated that the Privacy Act required updating in response to the recent boom of online companies trading in personal data.  The amendments are intended to protect Australians (especially children) using the Internet, ‘without impeding the continued innovation and development of companies working in the online space.’

Big dollars at risk for not being discreet

The new regime will increase the maximum penalties for misuse of personal information by entities covered by the Privacy Act, from $2.1 million for serious or repeated breaches, to the greatest of:

  • $10 million
  • three times the value of any benefit obtained through the misuse of information
  • 10% of a company’s annual domestic turnover

The updated penalties will bring Australia more in line with the General Data Protection Regulation (GDPR) penalty regime, under which the maximum penalty for a company’s breach of privacy is €20 million or 2% of that company’s annual global turnover.

Personal information is misused if it is used by an APP entity for a purpose that is not permitted by the Privacy Act.  Misuse may be deliberate or accidental invasions of privacy; common examples are the collection or disclosure of private information about an individual, without the individual’s consent (as required under the Privacy Act).

The penalties will apply to multinational social media and online platforms operating in Australia, including tech giants Google and Facebook.  For some companies, fines under the new laws may exceed $100 million.

OAIC given the key to procure cooperation  

The OAIC will be given powers to issue infringement notices for failure to cooperate with efforts to resolve minor breaches.  Backed by new penalties of up to $63,000 for companies, or $12,600 for individuals, it is hoped these powers will encourage collaboration and assistance.

The Government also intends to provide the OAIC with more options to ensure breaches are addressed, via third-party reviews, and/or publication of notices about specific breaches, in order to ensure individuals who are directly affected are aware of threats to their personal information.

The recently announced 2019 budget includes a $25.1 million increase to the OAIC’s funding over the next three years, to handle the changes and enforce compliance.  This is on top of the 2018 $12.9 million increase received by the OAIC in relation to the Consumer Data Right regime.

Individuals to be able lock down access to their personal Information

In addition to the above changes, online companies would be required to stop using or disclosing an individual’s personal information upon request.

Specific rules have also been proposed to protect the personal information of children and other vulnerable groups.

Behind the scenes action

It is understood that legislation addressing the above changes will be released for public consultation later this year.  We will continue to monitor developments in this space, and provide updates in due course.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.