New Penalties Recommended for Privacy Infringements
The Australian Consumer and Competition Commission (ACCC) recently released its Digital Platforms Inquiry which, although focused on the impact of digital platforms (Google and Facebook) on competition in the media and advertising markets, also touched upon privacy-related issues. Amongst the recommendations, they included the strengthening of protections in the Privacy Act and the privacy law regime in general. Some of the key recommendations were:
- broadening the definition of personal information to include identifiers such as IP addresses and location data;
- the strengthening of notification and consent requirements;
- requiring entities subject to the Privacy Act to erase personal information of a consumer without undue delay on receiving a request for erasure;
- introducing direct rights for individuals to bring actions or class actions before the courts to seek compensation for an interference with their privacy under the Privacy Act;
- the introduction of an enforceable code developed by the Office of the Australian Information Commissioner (OAIC); and,
- the introduction of a statutory tort covering “serious invasions of privacy” which may not be captured within the scope of the Privacy Act.
The recommendations follow proposals made earlier in the year by the Attorney-General and Minister for Communications, Cyber Safety and the Arts for a tougher penalty regime under the Privacy Act. The proposed changes to the Privacy Act have not yet come into effect but the legislative changes are to be drafted for consultation later this year, with a view to incorporating the relevant findings of the Digital Platforms inquiry.
It’s unclear at this stage to what extent the recommendations from the Digital Platforms Inquiry will be incorporated in the proposed legislative changes however, one of the key proposed changes announced earlier this year by the Federal Government to the Privacy Act includes increased financial penalties for misuse of personal information. Under the proposed changes, penalties for serious or repeated breaches would increase from $2.1 million to the greater of:
- $10 million; or,
- three times the value of any benefit obtained through the misuse of information; or,
- 10% of a company’s annual domestic turnover.
The increased penalties will bring the Privacy Act in line with the penalty provisions in the upcoming Consumer Data Rights regime and will be the latest step in the shift of Australia’s privacy laws towards the EU’s General Data Protection Regulation (GDPR).
Further, the OAIC will be given powers to issue infringement notices of up to $63,000 for companies or $12,600 for individuals.
The Federal Government also intends to provide the OAIC with more options beyond financial penalties such publishing notices about particular privacy breaches.
These proposed changes will affect individuals, the private sector and not-for-profit organisations with annual turnovers of $3 million or more per financial year and small businesses which handle personal information.
All businesses need to be aware of this rapidly changing area of law and we recommend that you ensure your dealings with personal information comply with the Privacy Act.