Australia: How reforms are giving new powers to the privacy regulator
After a year of high-profile data breaches, 2023 is shaping up to be a year of privacy reform. As the economic and personal harm of data breaches continues to be felt, governments are escalating their response to the breaches by expanding the powers of privacy regulators. Katherine Sainty and Aisling Hamilton, from Sainty Law, examines how privacy reforms have expanded the powers of the Office of Australian Information Commissioner ('OAIC') and what that means for Australian businesses.
Era of reform
As Australia enters the new year, the nation finds itself facing sweeping reforms that will change the national data privacy landscape.
Plans to reshape Australia's data regulation began in 2019 with the announcement of the Attorney-General's review of the Privacy Act 1988 (Cth) No. 119 1988 (as amended) ('the Privacy Act'). In addition, the Federal Government has committed AUD 1.67 billion (approx. €1.08 billion) to improve data protection through the Cyber Security Strategy 2020.
In 2022, Australia's privacy vulnerabilities exposed the need for reform. Several different sectors fell victim to cyberattacks and damaging data breaches. The fallout from the 2022 data breaches created a reinvigorated Federal Government push to reform the Privacy Act.
In late 2022, the Australian parliament passed the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 ('the Amendment Act') which changed the Privacy Act in three substantial ways:
- increased penalties for privacy breaches;
- expanded the Act's extra jurisdictional powers; and
- increased the powers of the OAIC.
Below is an exploration of the OAIC's new powers.
The OAIC is an independent national regulatory body tasked with protecting individual's privacy rights. As a regulatory body, the OAIC has the power to initiate investigations, manage complaints, and promote privacy. Privacy reforms have since expanded the OAIC's control.
The OAIC's powers extend to entities that are bound by the Privacy Act, including:
- Australian government agencies and service providers under Australian government contracts;
- organisations with an annual turnover above AUD 3 million (approx. €1.95 million);
- private sector health service providers;
- businesses that sell or purchase personal information;
- credit reporting bodies; and
- businesses that hold an accreditation under the Consumer Data Right system.
The OAIC has updated its Privacy Regulatory Action Policy1 ('the Policy') to reflect the changes to the Privacy Act. The Policy is a publicly accessible document that is regularly updated to reflect changes in the data privacy and risk landscape.
The Policy recognises three broad changes to the OAIC's powers including:
- enforcement powers;
- information gathering powers; and
- information sharing powers.
These are discussed below.
The OAIC's enforcement powers are designed to deter privacy breaches and expedite remedies for those affected by breaches.
The Amendment Act extends the power of the OAIC to enforce the Privacy Act against foreign organisations that have an Australian link, even if they are based offshore. The Amendment Act has broadened the criteria for establishing an Australian link by removing the requirement for organisations to collect or hold personal information in Australia.
The rationale driving this reform is to close loopholes created by foreign-based servers. These servers allowed foreign organisations to collect Australian personal information without triggering the powers of the OAIC. Now an Australian link can be established if a foreign organisation carries on business in Australia.
The Privacy Act does not define what it means to 'carry on business in Australia'. While this term is well understood for tax and corporations law purposes, it is not yet clear how the OAIC will apply it in practice.
The Amendment Act's Bill Digest ('the Digest') explains that the aim of this amendment is to ensure global technology players and others who are operating offshore that collect personal information on Australians are bound by Australian privacy laws.
However, the Digest goes on to suggest that it may be enough for an entity to simply provide services to Australian end users in order for it to be caught by the Privacy Act.
The Digest also indicates that the Australian link may be broad enough to capture the activities of foreign-based companies that are unrelated to Australian users. However, this remains to be seen.
The Amendment Act allows the OAIC to issue infringement notices to individuals who fail to give information when compelled to do so by the OAIC. The purpose of this reform is to substitute the previous criminal penalties with civil penalties. This will allow the OAIC to resolve cases in a timely and cost-effective manner.
Information gathering powers
The Amendment Act strengthens the OAIC's power to gather information regarding an eligible data breach. The regulatory body can now require an entity to provide information, produce documents, and answer questions relating to the Notifiable Data Breaches ('NDB') scheme. The reform is intended to fill a gap as previously entities had no obligation to cooperate with Commissioner-led preliminary investigations.
Additionally, the OAIC has been granted new powers to conduct assessments relating to an entity's compliance with the NDB scheme. Using these powers, the Commissioner may assess the processes and policies an entity has in place to manage eligible data breaches.
Information sharing powers
The OAIC's information sharing powers has been broadened by the Amendment Act. The Privacy Act now allows the OAIC to share information with:
- enforcement bodies;
- alternative complaint bodies;
- Australian State or Territory governments;
- foreign privacy regulators; and
- the public.
The expanded information sharing powers are designed to promote cooperation between privacy regulators both domestically and abroad. The additional powers relating to public disclosure allow the OAIC to release information that is in the public's interest. This disclosure power can be used to promote privacy and deter non-compliance.
Australia is in the midst of major privacy reform and is expected to announce further changes throughout the year. It's important for businesses to keep on top of these changes and update their processes accordingly.
The Attorney-General's review of the Act is now complete, and a response is expected in the coming months. It's anticipated that a plethora of reforms will quickly follow the release of this response.
The OAIC is now in the process of updating its regulatory guides to reflect changes in the legal and data privacy environment. These regulatory guides provide businesses with crucial information about how the OAIC enforces privacy regulations.
What can your business do?
The OAIC's preferred regulatory approach to enforcing the Privacy Act is to work with businesses. This means businesses should be proactive and use the materials published by the OAIC to improve privacy practices. This includes:
- reviewing the Privacy Regulatory Action Policy;
- checking the OAIC's website for the updated Guide to Privacy Regulatory Action;
- reviewing internal privacy policies and procedures;
- ensuring your organisation has an established data breach escalation protocol; and
- regularly training your staff on privacy and cybersecurity obligations.
1. See: https://www.oaic.gov.au/about-us/our-regulatory-approach/privacy-regulatory-action-policy#:~:text=The%20OAIC%20and%20its%20jurisdiction,legislation%20containing%20privacy%20protection%20provisions