Australia: OAIC and OPC launch joint investigation against Latitude Group
The Office of the Australian Information Commissioner ('OAIC') announced, on 10 May 2023, that it had launched a joint investigation, along with the New Zealand Office of the Privacy Commissioner ('OPC'), into the personal information handling practices of The Latitude Group, following preliminary inquiries into a data breach suffered by Latitude, by both authorities, which had an impact on individuals in both countries. In particular, the OAIC stated that its investigation will focus on whether Latitude took reasonable steps to protect the personal information they held from misuse, interference, loss, unauthorised access, modification, or disclosure, and whether Latitude took reasonable steps to destroy or de-identify personal information that was no longer required. In this regard, the OAIC noted that if the investigation leads to a finding that Latitude has breached one or more of the Australian Privacy Principles, then the OAIC/Privacy Commissioner may make a determination requiring Latitude to take steps to ensure its practice is not repeated or continued, and to redress any loss or damage. Furthermore, the OAIC specified that if serious and/or repeated privacy failures in contravention of Australian privacy law are found, the Privacy Commissioner has the power to seek civil penalties through the Federal Court of up to $50 million (approx. €30.8 million) for each contravention.
Notably, the OAIC highlighted that the joint investigation does not preclude the OAIC and OPC reaching separate regulatory outcomes or making separate decisions regarding the most appropriate regulatory response to a finding of a breach.