Flurry of activity in the Privacy Act review, including tougher penalties and new online privacy frameworkNovember 25, 2021
This article was co-authored with India Bennett.
After months of anticipation regarding the ongoing review of the Privacy Act 1988 (Cth), the Federal Government has galvanized the Australian privacy landscape with two significant developments.
Firstly, the Government has released a discussion paper about the reform of the Privacy Act. The discussion paper considers stakeholder feedback on the issues paper released in October 2020 and seeks further feedback on potential changes to the Privacy Act. Public consultation for this discussion paper is open until 10 January 2022. In the coming weeks, we will share with you our insights on the 217 page discussion paper.
Secondly, the Government has released an exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021, otherwise known as the “Online Privacy Bill”. In this article we set out a brief overview of what businesses should be considering in respect of the Online Privacy Bill.
Online Privacy Bill
The Online Privacy Bill is intended to give effect to the Federal Government’s commitment to strengthen the Privacy Act by increasing penalties and associated enforcement provisions, as well as enabling the introduction of a binding online privacy code for social media and certain other online platforms.
Substantial increases in penalties
The Online Privacy Bill proposes significantly increased penalties for serious or repeated interferences with privacy under the Privacy Act. For body corporates, the maximum penalty will increase to an amount not exceeding the greater of:
- $10 million;
- three times the value of the benefit obtained by the body corporate from the conduct constituting the serious or repeated interference with privacy; or
- 10% of domestic annual turnover.
This amounts to an almost five-fold increase from the current maximum penalty of A$2.22 million with regard to the dollar cap and potentially significantly more under the second and third limbs. The proposed penalties are similar to the maximum penalties under the Australian Consumer Law. In comparison, the monetary cap is still much less than the cap under the EU General Data Protection Regulation (GDPR), including the UK version post-Brexit, where the maximum penalty for serious infringements is the greater of €20 million (about A$31 million) or 4% of annual global turnover. However, for businesses with an annual turnover in excess of A$100 million, the 10% turnover cap should not be dismissed lightly.
The increase in the maximum penalty is intended to send a clear message to Australian and foreign entities subject to the Privacy Act that breaches will be treated seriously and are intended to reinforce need for compliance. This risk is further increased by separate proposals to introduce new compliance obligations under the Act and to expand the scope of foreign entities which will be subject to the Act. In order to manage the risks, privacy governance and…