06/08/2024
The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, which commenced on 13 December 2022, introduced targeted measures to enhance the Office of the Australian Information Commissioner (OAIC)’s ability to regulate in line with community expectations and protect Australians’ privacy in the digital environment.
The Amendment includes changes to three different Acts:
- Australian Communications and Media Authority Act 2005;
- Australian Information Commissioner Act 2010;
- Privacy Act 1988.
The Amendment introduced significantly increased penalties for serious and or repeated privacy breaches and greater powers for the OAIC to resolve breaches. The OAIC can now request information in relation to an actual or suspected eligible data breach of an entity or an entity’s compliance with the requirements set out in the Notifiable Data Breach (NDB) scheme, and can publish certain information publicly if it is in the public interest to do so. The OAIC and the Australian Communications and Media Authority (ACMA) may also share information with other enforcement bodies, including foreign data protection authorities.
Companies that fail to take adequate care of customer data now face much higher penalties under the Amendment. The Amendment increases the maximum penalties for serious or repeated privacy breaches from the previous $2.22 million to whichever is the greater of:
- $50 million;
- three times the value of any benefit obtained through the misuse of information; or
- 30 per cent of a company’s adjusted turnover in the relevant period.
Maximum civil penalty for individuals also increased from the previous $444,000 to $2.5 million.
The Amendment expands the entities captured by removing the requirement for an entity to collect or hold personal information in Australia to instead capture all entities that have an Australian link. Now, any foreign entity carrying on a commercial activity in Australia will be captured by the Privacy Act to ensure the Privacy Act can be enforced against global technology companies who may process Australians’ information on servers offshore.
For further information contact us at enquiries@griffinlegal.com.au