Tougher penalties on data breach and misuse

On 24 March 2019, the Attorney General, Christian Porter and Communications Minister, Mitch Fifield, announced proposed changes to the Privacy Act 1988 (Cth) (Act) for the purpose of enhancing the protection of personal information.

The proposed amendments to the Act will increase penalties for all entities that have obligations under the Act, especially social media and online platforms that operate in Australia. The outlined penalty for serious or repeated breaches will be either $10 million, which is an increase from $2.1 million, or three times the value of any benefit obtained through the misuse of information or 10 percent of a company’s annual domestic turnover.¹  The higher of the three penalties would be applicable for data breach and misuse of personal information. ²

The Office of the Australian Information Commissioner (OAIC) will have new infringement notice powers and penalties of up to $63,000 for bodies corporate and $12,600 for individuals if they fail to cooperate with efforts to resolve minor breaches. ³

Further, the OAIC will have available options to ensure that breaches can be addressed through third party reviews and to elect to publish prominent notices about specific breaches in an effort to communicate to those directly affected. ⁴

The legislative amendments that will introduce the new penalties and the enforcement system will establish a code for social media and online platforms. This code will require social media and online platforms to be transparent about data sharing; and to gain specific consent from their users when they collect, use and disclose personal information. ⁵

Social media and online platforms will be required to have a regime that ensures they have taken reasonable action to cease the use of an individual’s personal information if the user has requested they do so. It is proposed that a stricter regime be applicable if the personal information relates to minors or other vulnerable persons. ⁶

The current proposed amendment to the Act demonstrates the Federal Government is taking action to protect personal information. However, the message that is reinforced to entities is that they need to be responsive to a data breach and cognisant of their legal obligations when they hold, use and share personal information.

The consultation for the proposed amendment to the Act is scheduled for the second half of 2019.⁷ 

¹ Department of the Attorney General (Cth), ‘Tougher Penalties to Keep Australian Safe Online’ (Media Release 24 March 2019).  
² Ibid.  
³ Ibid.  
⁴ Ibid.  
⁵ Ibid.  
⁶ Ibid.  
⁷ Ibid.