New obligations, bigger penalties and stronger enforcement in major privacy shake-up

A Bill released this week proposes to fine companies up to the greater of $10 million and 10% of their annual turnover for privacy breaches. The Bill also targets the online privacy practices of social media giants and data brokers and gives the privacy regulator new enforcement mechanisms. We share the key takeaways in this article so you can prepare ahead of time.

The Australian Government Attorney-General’s Department (AGD) on Monday released the exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Cth) (OP Bill). If passed the OP Bill will significantly strengthen the protection of privacy through a broadening of the Privacy Act 1988 (Cth) (Privacy Act), impose strict new obligations for online platforms and significantly increase penalties for privacy breaches and enhance the enforcement options available to the Privacy/Information Commissioner and her office (OAIC).

Much higher penalties

The OP Bill implements the long-anticipated increase in penalties for serious and repeated interferences with privacy. For a body corporate, the current maximum penalty of $2.22 million will increase to an amount the greater of:

• $10 million;
• three times the value of the any benefit obtained by the entity from the conduct constituting the series and repeated interference with privacy; and
• 10% of the entity’s domestic annual turnover.

This brings the Privacy Act more in line with the EU’s General Data Protection Regulation’s maximum penalty, being the greater of €20 million and 4% of global turnover. We expect that these increased penalties alone will see many Australian organisations (big, medium and small) treat data governance and privacy compliance with new-found respect, becoming one of their top five strategic priorities over the coming 3-5 years.

Online platforms in the spotlight

The majority of entities subject to the Privacy Act are caught as ‘APP entities’. The OP Bill introduces a new concept of OP organisations which is to comprise:

• social media platforms, defined to exclude other digital services that might incidentally include social functionality;
• data brokerage services, intended to include businesses that trade in personal information they collect online (e.g. loyalty schemes and rewards programs); and
• large online platforms, being online platforms that collect individuals’ personal information and have more than 2.5 million end users.

Private-sector APP entities that are social media platforms, data brokerage services and/or large online platforms will therefore also be OP organisations and thus be subject to an ‘OP code’ with elevated and more specific privacy requirements than will apply to other APP entities.

The OP code is yet to be developed but the OP Bill specifies what it must address, namely:

• that OP organisations’ privacy policies clearly and simply explain the purposes for which they collect, hold, use and disclose personal information;
• that privacy notices on collection of personal information by OP organisations be clear and understandable, current and provided in the timely manner;
• that consent for collection, use and/or disclosure of personal information obtained by OP organisations is voluntary, informed, unambiguous, specific and current;
• that consent pertaining to the collection, use and/or disclosure of sensitive information obtained by OP organisations be renewed periodically or when circumstances change;
• a new individual right to object to an OP organisation’s use or disclosure of personal information (except where the use or disclosure is authorised or required by law, etc);
• how the requirements of the OP code will apply to children and vulnerable persons not capable of making their own privacy decisions; and
• requirements that social media platforms verify the age of their users, ensure the collection, use or disclosure of children’s personal information is fair and reasonable with regard to the best interests of the child, obtain privacy consent from each child’s parent/guardian and verify that consent.

An extraterritoriality loophole eliminated

The Privacy Act already applies to foreign organisations with an ‘Australian link’. One way to have an Australian link is to collect or hold personal information in Australia. At present, it can be difficult to establish whether a foreign organisation collects or holds personal information in Australia (although the recent Uber determination set out the OAIC’s views on this). For example, personal information frequently finds its way out of Australia into the hands of one organisation only to be on-collected (outside Australia) by a second organisation, allowing that second organisation to evade the application of the Privacy Act.

This likely contributes to low levels of trust in online services. It leads to Australians choosing not to use certain apps, deleting apps they have previously used or providing false information when using online services as a means taking privacy into their own hands. The OP Bill seeks to plug this ‘leak’ in line with the objectives of the Privacy Act.

Stronger enforcement

Once enacted the OP Bill will:

• introduce new determinations that the OAIC can make;
• empower the OAIC to compel an entity to engage an external privacy consultant (e.g. digital/privacy lawyer, IT risk or cybersecurity specialist) to review the entity’s privacy practices/process, review remediation of non-compliance and report findings back to the OAIC;
• permit the OAIC to share information and documents with law enforcement, eSafety and State, Territory and foreign privacy regulators (subject to certain limitations); and
• empower the OAIC to assess an entity’s ability to comply with the notifiable data breaches regime.

These changes represent a material enhancement of the enforcement tools available to the OAIC in respect of all breaches of the Privacy Act (by both OP organisations and other entities regulated by the Privacy Act).

The thickening web of data regulation

The OP Bill bolsters the overall strength of Australian data regulation and increases the already significant pressure on organisations to uplift governance, practices and training. Ahead of the enactment of the OP Bill, organisations should be consolidating their GRC capability in light of the already complex web of data regulation that will impact their activities.

The OP Bill signals the continued dual approach to privacy whereby the Consumer Data Right operates in parallel to the Privacy Act. The Consumer Data Right regime will prevail to the extent of any inconsistency with the OP code.

Next steps

The AGD is accepting submissions on the OP Bill and consultation Regulation Impact Statement. Submissions can be made on the AGD’s website or via email at OnlinePrivacyBill@ag.gov.au.

Private-sector APP entities should start considering how the OP Bill will impact their business and activities.

How can we help?

Clyde & Co has the largest dedicated cyber incident response and privacy advisory practice in Australia and New Zealand and has more 5-Star Cyber Lawyers than any other firm. Our experienced team has dealt with thousands of data breach and technology-related disputes in recent times, privacy reviews, assessments and solutions advices, including a number of the largest and most complex incidents in Asia-Pacific to date.

From pre-incident readiness reviews, solutions and advice, breach response, through to defence of regulatory investigations and proceedings, as well as recovery actions against wrongdoers, we assist clients globally across the full cyber lifecycle. Our team is also highly regarded for their expertise and experience in financial services information technology prudential requirements and managing all forms of disputes across sectors including advising on some of the most newsworthy class actions commenced in Australia.

Our 24-hour cyber incident response hotline or email allows you to access our team directly around the clock. For more information, contact us on:

Australia: +61 2 9210 4464

New Zealand: +64 800 527 508

cyberbreach@clydeco.com