The Attorney-General of Australia, the Hon Christian Porter MP announced, on 24 March 2019, proposed amendments (‘the Proposed Amendments’) to the Privacy Act 1988 (‘the Privacy Act’). In particular, the Proposed Amendments will include a new penalty regime, provisions which enhance the powers of the Office of the Australian Information Commissioner (‘OAIC’), as well as specific rules to protect the personal information of children and other vulnerable groups.
Patrick Fair, Partner at Baker McKenzie, told DataGuidance, “The Government [stated that] the Proposed Amendments aim to ensure the protection of online information and particularly have a focus on major social media companies and the protection of children. However, this explanation is puzzling to the extent that the Proposed Amendments relate to increased penalties, [despite] cases where fines have been levied against corporations for a breach of the Privacy Act being very rare. For some large companies the increase in penalties will add an additional reason to invest in privacy compliance but I’m not sure it will make a material difference for most organisations that are already making an effort to comply with the Privacy Act.”
The Proposed Amendments would increase the maximum penalty for serious or repeated data breaches to AUD 10 million (approx. €6,266,900), three times the value of any benefit obtained through the misuse of information, or 10% of a company’s annual domestic turnover, whichever is greater. In addition, the Proposed Amendments would provide new infringement notice powers to the OAIC for failure to cooperate with efforts to resolve minor breaches, including, new penalties of up to AUD 63,000 (approx. €39,630) for corporations and AUD 12,600 (approx. €7,930) for individuals.
A requirement of explicit consent for the sharing of information will be a new and notable change to Australian law
Fair noted, “The most significant change in the Proposed Amendments is that they will result in a code for social media and online platforms which trade in personal information, requiring more transparency in relation to data sharing. In addition, the Proposed Amendments would require explicit consent from users in order to collect, use and disclose personal information […] The existing regime only requires consent for the collection of sensitive information and disclosure regarding the types of bodies with whom information is usually shared. Accordingly, a requirement of explicit consent for the sharing of information will be a new and notable change to Australian law consistent with the introduction of a wider consent requirement in the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’).”
The Proposed Amendments would introduce alternative options available to the OAIC to ensure that data breaches are addressed, and that those directly affected are advised, through third-party reviews and the publication of prominent notices about the specific breach. Moreover, the Proposed Amendments outline that online platforms would be required to implement a mechanism to ensure they take all reasonable action to stop using an individual’s personal information if a user requests them to do so and have stronger mechanisms in place when the user is a child or other vulnerable person.
Fair concluded, “[The Proposed Amendments would introduce] an increase in funding [AUD 25 million (approx. €16 million) over three years] to the OAIC, [which] would enable it to deal with the complaints received more quickly, [as] handling time is currently quite slow, and would possibly allow the OAIC to undertake investigations in relation to issues that are not currently being investigated.”
The Proposed Amendments will be drafted for consultation in the second half of 2019.
Christopher Campbell Privacy Analyst