A Bill released this week proposes to fine companies up to the greater of $10 million and 10% of their annual turnover for privacy breaches. The Bill also targets the online privacy practices of social media giants and data brokers and gives the privacy regulator new enforcement mechanisms. We share the key takeaways in this article so you can prepare ahead of time.
The Australian Government Attorney-General’s Department (AGD) on Monday released the exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Cth) (OP Bill). If passed the OP Bill will significantly strengthen the protection of privacy through a broadening of the Privacy Act 1988 (Cth) (Privacy Act), impose strict new obligations for online platforms and significantly increase penalties for privacy breaches and enhance the enforcement options available to the Privacy/Information Commissioner and her office (OAIC).
The OP Bill implements the long-anticipated increase in penalties for serious and repeated interferences with privacy. For a body corporate, the current maximum penalty of $2.22 million will increase to an amount the greater of:
This brings the Privacy Act more in line with the EU’s General Data Protection Regulation’s maximum penalty, being the greater of €20 million and 4% of global turnover. We expect that these increased penalties alone will see many Australian organisations (big, medium and small) treat data governance and privacy compliance with new-found respect, becoming one of their top five strategic priorities over the coming 3-5 years.
The majority of entities subject to the Privacy Act are caught as ‘APP entities’. The OP Bill introduces a new concept of OP organisations which is to comprise:
Private-sector APP entities that are social media platforms, data brokerage services and/or large online platforms will therefore also be OP organisations and thus be subject to an ‘OP code’ with elevated and more specific privacy requirements than will apply to other APP entities.
The OP code is yet to be developed but the OP Bill specifies what it must address, namely:
The Privacy Act already applies to foreign organisations with an ‘Australian link’. One way to have an Australian link is to collect or hold personal information in Australia. At present, it can be difficult to establish whether a foreign organisation collects or holds personal information in Australia (although the recent Uber determination set out the OAIC’s views on this). For example, personal information frequently finds its way out of Australia into the hands of one organisation only to be on-collected (outside Australia) by a second organisation, allowing that second organisation to evade the application of the Privacy Act.
This likely contributes to low levels of trust in online services. It leads to Australians choosing not to use certain apps, deleting apps they have previously used or providing false information when using online services as a means taking privacy into their own hands. The OP Bill seeks to plug this ‘leak’ in line with the objectives of the Privacy Act.
Once enacted the OP Bill will:
These changes represent a material enhancement of the enforcement tools available to the OAIC in respect of all breaches of the Privacy Act (by both OP organisations and other entities regulated by the Privacy Act).
The OP Bill bolsters the overall strength of Australian data regulation and increases the already significant pressure on organisations to uplift governance, practices and training. Ahead of the enactment of the OP Bill, organisations should be consolidating their GRC capability in light of the already complex web of data regulation that will impact their activities.
The OP Bill signals the continued dual approach to privacy whereby the Consumer Data Right operates in parallel to the Privacy Act. The Consumer Data Right regime will prevail to the extent of any inconsistency with the OP code.
The AGD is accepting submissions on the OP Bill and consultation Regulation Impact Statement. Submissions can be made on the AGD’s website or via email at OnlinePrivacyBill@ag.gov.au.
Private-sector APP entities should start considering how the OP Bill will impact their business and activities.
Clyde & Co has the largest dedicated cyber incident response and privacy advisory practice in Australia and New Zealand and has more 5-Star Cyber Lawyers than any other firm. Our experienced team has dealt with thousands of data breach and technology-related disputes in recent times, privacy reviews, assessments and solutions advices, including a number of the largest and most complex incidents in Asia-Pacific to date.
From pre-incident readiness reviews, solutions and advice, breach response, through to defence of regulatory investigations and proceedings, as well as recovery actions against wrongdoers, we assist clients globally across the full cyber lifecycle. Our team is also highly regarded for their expertise and experience in financial services information technology prudential requirements and managing all forms of disputes across sectors including advising on some of the most newsworthy class actions commenced in Australia.
Our 24-hour cyber incident response hotline or email allows you to access our team directly around the clock. For more information, contact us on:
Australia: +61 2 9210 4464
New Zealand: +64 800 527 508