New Penalties Recommended for Privacy Infringements

Hyun Shin

The Australian Consumer and Competition Commission (ACCC) recently released its Digital Platforms Inquiry which, although focused on the impact of digital platforms (Google and Facebook) on competition in the media and advertising markets, also touched upon privacy-related issues. Amongst the recommendations, they included the strengthening of protections in the Privacy Act and the privacy law regime in general. Some of the key recommendations were:

The recommendations follow proposals made earlier in the year by the Attorney-General and Minister for Communications, Cyber Safety and the Arts for a tougher penalty regime under the Privacy Act. The proposed changes to the Privacy Act have not yet come into effect but the legislative changes are to be drafted for consultation later this year, with a view to incorporating the relevant findings of the Digital Platforms inquiry.

It’s unclear at this stage to what extent the recommendations from the Digital Platforms Inquiry will be incorporated in the proposed legislative changes however, one of the key proposed changes announced earlier this year by the Federal Government to the Privacy Act includes increased financial penalties for misuse of personal information. Under the proposed changes, penalties for serious or repeated breaches would increase from $2.1 million to the greater of:

The increased penalties will bring the Privacy Act in line with the penalty provisions in the upcoming Consumer Data Rights regime and will be the latest step in the shift of Australia’s privacy laws towards the EU’s General Data Protection Regulation (GDPR).

Further, the OAIC will be given powers to issue infringement notices of up to $63,000 for companies or $12,600 for individuals.

The Federal Government also intends to provide the OAIC with more options beyond financial penalties such publishing notices about particular privacy breaches.

These proposed changes will affect individuals, the private sector and not-for-profit organisations with annual turnovers of $3 million or more per financial year and small businesses which handle personal information.

All businesses need to be aware of this rapidly changing area of law and we recommend that you ensure your dealings with personal information comply with the Privacy Act.

If you’d like assistance in reviewing or preparing a privacy policy or in dealing with personal information, please contact our Commercial Law team: