Tougher penalties in the Privacy Act are a good start, but not enough

In response to the Optus data breach, the Australian government has introduced a new bill to make changes to the Privacy Act.

So what’s in the Bill? And are the changes adequate? Read on for a brief explainer.  

The Australian government has confirmed that a comprehensive review of the Privacy Act is still on the way. The Coalition Government commenced the review process in 2020, and we expect a report by the end of 2022 with legislation in 2023. It’s vital we get privacy reform right. We have written a cheat-sheet to help you understand how we can make the Privacy Act stronger.

What are the changes in the proposed bill? 

Increased enforcement powers for the OAIC

This Bill beefs up the enforcement powers of the Office of the Australian Information Commissioner (OAIC). The OAIC is the federal privacy regulator, and the agency in charge of enforcing the Privacy Act.

The enhanced enforcement powers include:

  • New powers to conduct assessments. 
  • Expanding the types of declarations that the Commissioner can make in a determination at the conclusion of an investigation. This means the OAIC has more options for what it can make a company do if it’s found to have seriously invaded privacy.
  • Strengthening up the Notifiable Data Breaches scheme so the Commissioner has increased understanding of the information that has been compromised in the event of a breach, so they can assess the risk of harm to individuals. 

It also includes enhanced information sharing powers which will enable the Commissioner to share details with other organisations, such as enforcement bodies, other complaint bodies (like the eSafety Commissioner), or other privacy regulators (such as state-based regulators, or privacy regulators in other countries). 

Increased penalties for privacy breaches

If passed, the Bill will also increase the penalties in the Privacy Act for “serious or repeated” interferences with privacy. 

Currently, the maximum fine for a serious or repeated breach of privacy is $2.1 million. This has long been criticised as far too low to be a real deterrent for poor privacy practices, and is often framed as the “cost of doing business”.  

Under the Bill, the fines increase to whatever is the greatest amount out of these three options:

  • $50 million, 
  • three times the value of the benefit the entity obtained from the privacy invasive conduct (where it’s possible for this to be determined), or 
  • 30% of the adjusted turnover of the entity during the breach period.

For what it’s worth, these proposed penalties are three times higher than what was proposed by the Coalition government in 2021.

Currently, the OAIC has to ask the Federal Court to levy these fines, and this Bill doesn’t change that. It also doesn’t alter the current “serious or repeated” threshold, which also limits when these penalties can be used.

Increased penalties that reflect the serious nature of privacy invasions and data breaches is a welcomed first step, but we can’t stop here. Despite these new powers, the OAIC still doesn’t have the resources to keep up with an increasing workload and the complexity of protecting privacy in the data-driven internet economy. It’s vital that we have a well-resourced and empowered regulator to ensure our right to privacy is being enforced.

Expanded international scope

It also amends the existing extraterritorial jurisdiction of the Privacy Act to make it more practicable and fit for purpose in the global internet economy. 

Currently, foreign entities that do business in Australia only have to meet the obligations of the Privacy Act if they have an ‘Australian Link’. This means that they have to operate in Australia, but they also have to collect or hold information from a source in Australia. 

In practice, this can be hard to establish, because companies often collect personal information about Australians, but it doesn’t necessarily come from a source in Australia. For example, they might collect the information from a digital platform that doesn’t have servers in Australia. In these cases, the Privacy Act wouldn’t apply to them. In the global internet economy, this is a pretty limiting loophole.  

The Bill will mean that this wouldn’t be the case anymore, so that organisations conducting business in Australia need to meet the obligations under the Privacy Act. This is a welcome improvement! 

This is a good start, but we can’t stop here

Digital Rights Watch welcomes increased penalties under the Privacy Act. Having strong penalties when organisations don’t comply with the Privacy Act is important—it can act as an incentive for companies and government agencies to take compliance seriously. 

However, it’s not enough to increase penalties without also increasing the capacity for the OAIC to enforce the Act. Despite the scope and complexity of protecting privacy in the digital age only increasing, the OAIC has been woefully underfunded for years.

The OAIC was provided an additional $5.5 million in Labor’s 2022 Budget to investigate the Optus data breach. While this is welcome, it still falls short of what is required for meaningful, long term improvement.    

These changes also fall short of providing real, meaningful pathways of redress for individuals who suffer harm as a result of their privacy being invaded. Fines can work as a disincentive, but they won’t necessarily reduce the harm caused to individuals or restore people’s privacy. 

We need a direct right of action and a statutory tort for serious invasion of privacy. Currently, if an organisation invades your privacy or breaches the APPs, you have to go through the OAIC if you want to take action or pursue redress (such as compensation). Regulators can’t deal with this problem alone. A direct right of action and statutory tort would give people pathways for redress, including the right to lodge a case, without needing to go through the OAIC. This is an important way to empower people to take their right to privacy into their own hands.  

Digital Rights Watch hopes to see this, alongside other meaningful reforms to the Privacy Act.  

We need meaningful privacy reform 

We need to end the culture of data hoarding that dominates Australia. Our privacy is regularly being invaded by companies and government agencies that collect and store more information than they need. This is clearly putting Australians at risk. Increased penalties that reflect the serious nature of privacy invasions and data breaches is a welcomed first step, but we can’t stop here.

The best way to reduce the harm caused by data breaches is to not collect and store the data in the first place. We’re looking forward to a full review of the Privacy Act later this year and we hope to see a range of reforms that reduce the amount of information companies can collect and store while also giving the public a direct right of action if a company does invade their privacy.