Australia’s Privacy Legislation Amendment

Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022

The Australian government introduced The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 in December 2022, in response to recent data breaches. The Act aims to strengthen Australia’s privacy framework by providing more enforcement powers to regulators, including the Office of the Information Commissioner (OAIC) and the Australian Communications and Media Authority (ACMA). It also increases penalties for breaches of privacy law and introduces new measures to improve transparency and accountability.

Penalties for Serious or Repeated Interferences

Under the new legislation, OAIC will have the ability to issue fines of up to $50 million to organisations and up to $2.5 million for individuals who repeatedly interfere with privacy, both of which are significant increases from previous penalties. OAIC will also have the power to make specific determinations at the end of an investigation and ensure that foreign organisations operating in Australia meet obligations under the Act. This is a timely move, as the increasingly global nature of business means that more and more organisations are operating in multiple countries. This will make it more difficult for foreign organisations to avoid their obligations under Australian privacy laws and will ensure that individual’s personal data is protected regardless of where an organisation is based.

Notifiable Data Breaches Scheme

The Notifiable Data Breaches scheme, which has been in place since 2018, will also be strengthened to increase accountability for organisations and individuals who fail to meet the required data breach notification standards. OAIC will be able to request information from organisations to ensure compliance with the scheme.

Transparency and Accountability

The privacy legislation amendment includes measures to improve transparency and accountability, such as the right of access and correction for individuals, and the ability for OAIC to assess organisations’ data protection practices proactively. This means that individuals will have more control over their personal data, and organisations will have to be more transparent about their data handling practices.

Privacy Information Sharing

The Act also allows for information sharing between enforcement bodies and states, territories, and foreign regulators with similar privacy laws, to increase coordination and protection of personal information. OAIC and ACMA will also be able to cooperate with other enforcement bodies concerning data breaches, such as the Australian Competition and Consumer Commission. Overall, the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 is a significant step forward in protecting individuals’ privacy in Australia.

Other Impacts of a Privacy Breach

In addition to the financial penalties, organisations found to be in violation of the new privacy legislation amendment will also face reputational damage. With increased transparency and accountability, it will be more difficult for organisations to hide any non-compliance with privacy laws. This will likely lead to increased scrutiny from the public and media, which can have a significant impact on an organisation’s reputation and bottom line.

What Can You Do to Comply With Australian Privacy Legislation?

Some of the key steps your organisation should be taking to manage data privacy risk already and reduce the potential impacts from the privacy legislation amendment:

• Conducting regular information security risk assessments across your organisation, focusing on how your organisation is receiving personal information, where personal information is being stored and how personal information is being shared.
• Creating a register of all applications that handle personal information, who the owner of applications are, what security controls are in place to protect that information and evaluating those applications for potential security vulnerabilities.
• Monitoring and assessing vendors and third parties who have access to your systems or data.
• Keeping up to date with current threats in your industry and the overall threat landscape.
• Having a plan in place that has been tested, for responding to data breaches.
• Implementing appropriate security technologies, such as data loss prevention tools.

Overall, it is important for organisations to take a proactive approach to protect personal information and regularly review and update their security practices to ensure they are compliant with the new legislation.

For more information on what threat actors do with your personal information after it’s been stolen, and why it’s so valuable to them, read our informative article What Happens to Personal Data After a Breach?.