2022
THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA
HOUSE OF REPRESENTATIVES
Privacy Legislation Amendment (ENFORCEMENT and Other Measures) Bill 2022
EXPLANATORY MEMORANDUM
(Circulated by authority of the
Attorney-General, the Hon Mark Dreyfus KC MP)
Privacy Legislation Amendment (ENFORCEMENT and Other Measures) Bill 2022
General Outline
1. The Bill amends the Privacy Act 1988 (Privacy Act), the Australian Information Commissioner Act 2010 (AIC Act) and the Australian Communications and Media Authority Act 2005 (ACMA Act) to increase penalties under the Privacy Act, provide the Australian Information Commissioner (the Commissioner) with greater enforcement powers, and provide the Commissioner and the Australian Communications and Media Authority (ACMA) with greater information sharing powers.
Increased penalties
2. The Bill will increase the penalty under section 13G of the Privacy Act for serious or repeated interferences with privacy to $2.5 million for a person other than a body corporate, and for a body corporate the maximum penalty will increase to an amount not exceeding the greater of $50 million; three times the value of the benefit obtained; or, if the court cannot determine the value of the benefit, 30% of their adjusted turnover in the relevant period.
Enhanced enforcement powers
3. The Bill will provide the Office of the Australian Information Commissioner (OAIC) with enhanced enforcement powers, including by:
a. expanding the types of declarations that the Commissioner can make in a determination at the conclusion of an investigation
b. amending the extraterritorial jurisdiction of the Privacy Act to ensure foreign organisations that carry on a business in Australia must meet the obligations under the Act, even if they do not collect or hold Australians’ information directly from a source in Australia
c. providing the Commissioner with new powers to conduct assessments
d. providing the Commissioner new infringement notice powers to penalise entities for failing to provide information without the need to engage in protracted litigation, and
e. strengthening the Notifiable Data Breaches scheme to ensure the Commissioner has comprehensive knowledge of the information compromised in an eligible data breach to assess the particular risk of harm to individuals.
Enhanced information sharing powers
4. The Bill will enhance the Commissioner’s ability to share information by:
a. clarifying that the Commissioner is able to share information gathered through the Commissioner’s information commissioner functions, freedom of information functions and privacy functions
b. providing the Commissioner with the power to disclose information or documents with an enforcement body, an alternative complaint body, and a State, Territory or foreign privacy regulator for the purpose of the Commissioner or the receiving body exercising their powers, or performing their functions or duties, and
c. providing the Commissioner with the power to publish a determination or information relating to an assessment on the Commissioner’s website; and disclose all other information acquired in the course of exercising powers or performing functions or duties if it is in the public interest.
5. The Bill will also amend the ACMA Act to expand ACMA’s ability to share information to any non-corporate Commonwealth entity (as defined in section 11 of the Public Governance, Performance and Accountability Act 2013) responsible for enforcing a Commonwealth law where the information will enable or assist the entity to perform or exercise any of its functions or powers.
Delegations
6. The Bill will amend the AIC Act to allow the Commissioner to delegate certain functions or powers to a member of staff of the OAIC.
FINANCIAL IMPACT
7. This Bill may increase Commonwealth revenue due to increased penalties. This will be dependent on the number and quantum of successful civil penalty orders sought by the Commissioner.
Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011
Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022
1. This Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.
Overview of the Bill
2. The Bill contains a range of measures to enhance the protection of personal information, including amendments to:
a. increase penalties under the Privacy Act 1988 (Privacy Act)
b. strengthen the Australian Information Commissioner’s (the Commissioner’s) enforcement powers, and
c. provide the Commissioner and Australian Communications and Media Authority (ACMA) with greater information sharing arrangements.
Human rights implications
3. This Bill engages the following rights:
a. the right to privacy in Article 17 of the International Covenant on Civil and Political Rights (ICCPR), and
b. the right to a fair trial under Article 14 of the ICCPR.
Increased penalties and enforcement powers
Right to protection against arbitrary or unlawful interference with privacy
4. The Bill promotes the right to privacy by strengthening the protection of the law against unlawful interferences with privacy. The Bill expands the mechanisms available to the Commissioner to enforce the protections provided under the Privacy Act for a wide range of situations in which an unlawful interference with privacy can occur.
5. The Bill strengthens the protection of the law against unlawful interferences with privacy by:
a. Increasing the maximum civil penalty for serious or repeated interferences with privacy.
i. This measure is privacy enhancing. To promote effective deterrence, it is essential for the Privacy Act to provide meaningful sanctions for any conduct interfering with an individual’s privacy.
b. Creating a new provision allowing the Commissioner to issue an infringement notice for a failure to give information, answer a question or produce a document or record when required to do so (with associated additional civil penalty provisions). A separate criminal penalty has been created if a body corporate engages in conduct which constitutes a system of conduct or pattern of behaviour.
i. This measure is privacy enhancing. Providing the Commissioner new infringement notice powers to penalise entities for failing to provide information without the need to engage in protracted litigation will allow the Commissioner to resolve matters more efficiently.
c. To complement the Commissioner’s existing power to make a declaration in a determination that a respondent must take specified steps to ensure conduct constituting an interference with privacy is not repeated or continued, the Commissioner will be empowered to require the respondent to engage an independent and suitably qualified adviser to assist this process. Additionally, the Commissioner may require the respondent to prepare and/or publish a statement about the conduct that led to the interference with privacy.
i. These measures are privacy enhancing. Engaging an adviser will assist entities ensure the non-compliance can be appropriately remediated, and preparing and publishing a statement about the conduct will provide Australians with greater visibility of emerging privacy issues and whether an entity who holds their personal information has breached the Privacy Act.
d. Empowering the Commissioner to conduct an assessment of an entity’s compliance with the Privacy Act’s Notifiable Data Breaches (NDB) scheme, and providing the Commissioner with a new information gathering power for the purposes of conducting an assessment of any kind and assessing an actual or suspected eligible data breach.
i. These measures are privacy enhancing. Being able to undertake an assessment of an entity’s compliance with the NDB scheme will ensure entities are meeting the scheme’s reporting and notification requirements, which provides individuals with transparency and assists them in taking steps to protect their privacy. Information gathering powers are necessary to provide the Commissioner with a comprehensive understanding of an entity’s practices to understand the full extent of a breach or an emerging issue.
e. Strengthening the NDB scheme to ensure the Commissioner has comprehensive knowledge of the information compromised in an eligible data breach to assess the particular risk of harm to individuals.
i. This measure is privacy enhancing as it will ensure the Commissioner is able to assess the particular risk of harm to individuals, and whether the recommendations about the steps that individuals should take in response to the eligible data breach outlined in a notification are sufficient.
6. The Bill promotes the right to privacy by ensuring that the Commissioner’s enforcement mechanisms and penalties are adequate to protect the privacy of Australians.
Right to a fair trial
7. Article 14 of the ICCPR guarantees a person be afforded, in the determination of any criminal charge against them, the right to a fair trial. The United Nations Human Rights Committee has indicated that the right to a fair trial under Article 14 may extend to acts that are ‘criminal in nature with sanctions that, regardless of their qualification in domestic law, must be regarded as penal because of their purpose, character or severity’ (see General Comment No, 32, para 15; Communication No. 1015/2001, Perterer v. Austria, at para 9.2). The substance of the civil penalties, criminal offences and fair hearing guarantees in the Bill are relevant to ICCPR Article 14. Schedule 1 of the Bill engages the right to a fair trial.
Section 13G – civil penalties
8. Under the prevailing law, the maximum civil penalty for serious or repeated interferences with privacy is 2,000 penalty units (section 13G of the Privacy Act) — which, on the current penalty unit value, is a maximum civil penalty of $2.22 million for bodies corporate and $444,000 for other entities regulated by the Privacy Act. These penalties fall short of community expectations, particularly if it is large multinational organisations being penalised, and given the potential financial and emotional harm of serious or repeated breaches.
9. The Bill will increase the maximum civil penalty to $2.5 million for a person other than a body corporate. For bodies corporate, the maximum penalty will increase to an amount not exceeding the greater of $50 million; three times the value of the benefit obtained by the body corporate from the conduct constituting the serious or repeated interference with privacy; or, if the value cannot be determined, 30% of their adjusted turnover in the relevant period.
10. These changes are consistent with the proposed maximum penalties under the Australian Consumer Law (ACL) in the Treasury Laws Amendment (More Competition, Better Prices) Bill 2022. The Australian Competition and Consumer Commission’s Digital Platforms Inquiry July 2019 report recommended that the maximum penalties of the Privacy Act should be increased to mirror the penalties for breaches of the ACL as the lack of effective deterrence has enabled problematic data practices.
11. Further, the Privacy Act applies appropriate safeguards that exist in the Regulatory Powers (Standard Provisions) Act 2014 (Regulatory Powers Act) that protect the rights expressed in Article 14. Section 80U of the Privacy Act and Part 4 of the Regulatory Powers Act provide that in determining pecuniary penalties a court must take all relevant matters into account, including the circumstances of the contravention, the nature and extent of any loss or damage suffered because of the contravention and whether the entity has previously been found to have engaged in similar conduct. Where conduct contravenes more than one civil penalty provision, proceedings may be commenced in relation to each contravention; however, the entity (or person) cannot be liable for more than one penalty in relation to that conduct.
12. The maximum penalty for a body corporate is significantly higher than that imposed on a person other than a body corporate. This is necessary to sufficiently deter breaches of privacy, particularly for large digital platforms, and ensure that individuals are adequately protected. By strengthening penalties, Australia will be signalling its expectations that businesses undertake robust privacy and security practices.
13. For these reasons, the level of civil penalties which apply under section 13G are a reasonable and proportionate response to the behaviours the penalties are intended to deter and penalise.
Section 66 – civil and criminal penalties
14. Under the prevailing law, the criminal penalty for a person refusing or failing to give information, or answer a question or produce a document or record when required to do so under the Privacy Act, is imprisonment for 12 months or 20 penalty units or both for an individual, or 100 penalty units for bodies corporate (section 66 of the Privacy Act).
15. The Bill creates an infringement notice provision in subsection 66(1) to supplement a new civil penalty provision which will provide an alternative to potential litigation of a civil matter. In accordance with subsection 104(2) of the Regulatory Powers Act, the amount to be stated in the infringement notice will be 12 penalty units for a person, and 60 penalty units for bodies corporate – which, on the current penalty unit value, leads to a maximum penalty of $2,664 for a person and $13,320 for bodies corporate. The civil penalty for the infringement notice provision will be 60 penalty units for a person, and 300 penalty units for bodies corporate – which, on the current penalty unit value, leads to a maximum civil penalty of $13,320 for individuals and $66,600 for bodies corporate.
16. The Bill also creates a separate criminal offence in subsection 66(1AA) if a body corporate engages in conduct which constitutes a system of conduct or pattern of behaviour. This would enable the Office of the Australian Information Commissioner (OAIC) to refer matters to the Commonwealth Director of Public Prosecutions for more serious, systemic conduct. The maximum penalty will be 300 penalty units for bodies corporate – which, on the current penalty unit value, leads to a maximum civil penalty of $66,600 for bodies corporate.
17. These new provisions are subject to the safeguard in subsection 66(1B), which provides a person cannot be penalised if they have a reasonable excuse.
18. These changes would encourage compliance, and enable the OAIC to effectively resolve privacy complaints and investigations faster, as investigations can be delayed due to the failure of parties to respond to requests for information. The infringement notice provision will provide an alternative to litigation of a civil matter. An infringement notice could be used in instances where a regulatory response is justified, but where it is preferable to attempt to resolve the matter outside of court in the first instance.
19. As noted above, the Privacy Act applies appropriate safeguards that exist in the Regulatory Powers Act that protect the rights expressed in Article 14. This includes:
a. The Bill designates the Commissioner and a senior member of the staff of the Commissioner as an infringement officer for the purposes of Part 5 of the Regulatory Powers Act. The infringement notice is subject to the safeguards provided in the Regulatory Powers Act, including that a notice must be issued within 12 months of when the contravention is alleged to have taken place and must outline the consequences of a failure to pay the amount payable under the notice.
b. Part 4 of the Regulatory Powers Act provides procedures and protections to ensure that entities will not be subject to both criminal and civil penalties for the same conduct.
c. The Privacy Act incorporates appropriate safeguards when determining the civil penalty to be imposed.
20. For these reasons, the level of civil and criminal penalties which apply under section 66 are a reasonable and proportionate response to the behaviours the penalties are intended to discourage.
Information sharing
Right to protection against arbitrary or unlawful interference with privacy
21. The Bill limits the right to privacy by expanding the Commissioner’s capacity to share information, including personal information, with an enforcement body, alternative complaint body, and a State, Territory or foreign privacy regulator.
22. The Bill also limits the right to privacy by expanding ACMA’s capacity to share information, including personal information, with any non-corporate Commonwealth entity responsible for enforcing a Commonwealth law where the information will enable or assist the entity to perform or exercise any of its functions or powers.
23. The Commissioner is generally bound by a secrecy provision in the Australian Information Commissioner Act 2010 which limits the Commissioner’s discretion to share information. The existing provisions of the Privacy Act only provide a limited set of circumstances where the Commissioner can share information or documents with other authorities and other regulators. This significantly impacts the Commissioner’s ability to cooperate with enforcement bodies and other regulators.
24. The Bill will facilitate better cooperation between the Commissioner and ACMA, and other enforcement and regulatory authorities and entities.
25. The Commissioner’s information sharing power is subject to several limitations which ensure that it is reasonable, necessary and proportionate. These include that:
a. the Commissioner can only share information for the purposes of the Commissioner’s, or the receiving body’s, exercise of powers or performance of functions and duties
b. the information or documents must have been acquired by the Commissioner in the course of exercising powers, or performing functions or duties, under the Privacy Act
c. the Commissioner must also be satisfied on reasonable grounds that the receiving authority has satisfactory arrangements for maintaining security of the information or documents
d. where the Commissioner has obtained information or documents from an Australian Government agency, the Commissioner may only share those documents with an Australian Government agency, and
e. further, if the information is shared with a receiving body under this section, the receiving body may use the information only for the purposes for which it was shared.
26. Existing protections in section 59D of the Australian Communications and Media Authority Act 2005 will apply to ACMA’s new ability to share information, namely that the ACMA Chair must be satisfied that the information will enable or assist the entity to perform or exercise any of its functions or powers, and that the ACMA Chair may impose conditions to be complied with in relation to the authorised disclosure of information.
27. This limitation on the right to privacy is permissible as it is a reasonable, necessary and proportionate means of achieving a legitimate goal to improve cooperation between law enforcement and regulatory bodies, and is subject to safeguards.
28. The Bill also limits the right to privacy by empowering the Commissioner to disclose information acquired in the course of exercising powers, or performing functions and duties.
29. The disclosure power is subject to the Commissioner being satisfied on reasonable grounds that the disclosure is in the public interest, which ensures that it is reasonable, necessary and proportionate. To determine whether the disclosure is in the public interest specific regard must be given to:
a. the rights, freedoms and legitimate interests of any person including the complainant or respondent
b. whether the disclosure could prejudice an investigation which is underway
c. whether the disclosure will or is likely to disclose the personal information of any person
d. whether the disclosure will or is likely to disclose confidential commercial information, and
e. whether the disclosure would be likely to prejudice enforcement related activities conducted by or on behalf of an enforcement body.
30. This limitation on the right to privacy is permissible as it is a reasonable, necessary and proportionate means of ensuring Australians are informed about instances where their privacy may have been compromised and are able to take measures to protect their personal information, and is subject to appropriate safeguards.
Conclusion
31. The Bill is compatible with human rights because it promotes the protection of human rights, particularly the right to privacy in Article 17 of the ICCPR. To the extent that it may limit human rights, those limitations are reasonable, necessary and proportionate to achieve the legitimate aims of the Bill and the Privacy Act.
NOTES ON CLAUSES
Preliminary
Clause 1 – Short title
1. This clause provides for the short title of the Act to be the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022.
Clause 2 – Commencement
2. This clause provides for the commencement of each provision in the Bill, as set out in the table. Item 1 in the table provides that the whole of this Act will come into effect on the day after the Act receives Royal Assent.
Clause 3 – Schedules
3. Clause 3 provides that each Act specified in the Schedule is amended or repealed as set out in the Schedule. Clause 3 also provides that any other item in a Schedule of the Bill will have effect according to its terms.
GENERAL OUTLINE
4. The Bill amends the Privacy Act 1988 (Privacy Act), the Australian Information Commissioner Act 2010 (AIC Act) and the Australian Communications and Media Authority Act 2005 (ACMA Act) to increase penalties under the Privacy Act, provide the Australian Information Commissioner (the Commissioner) with enhanced enforcement powers, and provide the Commissioner and the Australian Communications and Media Authority (ACMA) with greater information sharing powers.
Australian Communications and Media Authority Act 2005
Item 1 – Subsection 59D(1)
5. This item will ensure the ACMA is able to disclose information to a non-corporate Commonwealth entity (within the meaning of the Public Governance, Performance and Accountability Act 2013) that is responsible for enforcing one or more laws of the Commonwealth.
6. The amendment would ensure the ACMA is able to disclose information without needing to list an exhaustive list of agencies. The amendment is important because for many functions and powers that non-corporate Commonwealth entities are exercising, taking prompt action is critical to help ensure further harm is minimised or avoided. For example, prompt disclosure of information by the ACMA following a data breach could help ensure that financial crime and fraud does not occur.
7. Disclosures are limited only to non-corporate Commonwealth entities, and not the full range of Commonwealth entities. This will ensure disclosures cannot be made to corporate Commonwealth entities that have a separate legal personality from the Commonwealth. This limitation is appropriate due to corporate Commonwealth entities being able to operate commercially with a degree of independence from the policies and direction of the Australian Government. Further, disclosure can only occur where the entity has a role enforcing a law of the Commonwealth. The ACMA Chair will be able to set conditions that must be adhered to by the receiving agency.
8. The proposed amendment is consistent with paragraphs 59D(1)(l) and (o), which allow the ACMA to share information with a general class of agencies from the States and Territories, and regulators from foreign countries.
Australian Information Commissioner Act 2010
Item 2 – Section 25
9. This item is a technical amendment to allow for the insertion of subsection 25(2), and to reflect that the Commissioner may only delegate specific functions or powers subject to the limitation in subsection 25(2).
Item 3 – Paragraphs 25(e), (g) and (h)
10. This item repeals paragraphs 25(e), (g) and (h). This purpose of this item is to allow the Commissioner to delegate the following functions or powers to a member of staff of the Office of the Australian Information Commissioner (OAIC) to ensure the OAIC’s workload can be managed effectively:
a. the function conferred by section 55K of the Freedom of Information Act 1982 (FOI Act) (making a decision on an Information Commissioner review)
b. the function conferred by section 73 of the FOI Act (discretion not to investigate, or continue to investigate, an FOI complaint), and
c. the function conferred by section 86 of the FOI Act (obligation to notify on completion of FOI investigation).
Item 4 – Paragraph 25(k)
11. This item is a technical amendment to reflect that paragraph 25(k) is the final paragraph, due to paragraph 25(l) being repealed.
Item 5 – Paragraph 25(l)
12. This item repeals paragraph 25(l). This purpose of this item is to allow the Commissioner to delegate the following functions or powers to a member of staff of the OAIC:
a. making determinations for the purposes of section 52 of the Privacy Act after completing a privacy investigation.
Item 6 – At the end of section 25
13. This item limits the Commissioner’s expanded delegation power in items 3 and 5 to Senior Executive Service (SES) employees, or acting SES employees. This safeguard reflects that decisions made under sections 55K, 73 and 86 of the FOI Act and section 52 of the Privacy Act are of significance, and as such should only be exercised by employees that have the relevant skills and expertise.
Item 7 – Paragraph 29(2)(a)
14. This item repeals paragraph 29(2)(a) and substitutes it with paragraphs 29(2)(a), (aa) and (ab). This item provides that the following scenarios will not be considered an unauthorised dealing with information, and therefore will not be subject to the offence provision under subsection 29(1):
a. If a person acquires information in the course of performing an information commissioner function or exercising a related power, and records, discloses or uses the information in the course of performing that same function or power (paragraph 29(2)(a)), or
b. If a person acquires information in the course of performing a freedom of information function or exercising a related power, and records, discloses or uses the information in the course of performing that same function or power (paragraph 29(2)(aa)), or
c. If a person acquires information in the course of performing a privacy function or exercising a related power, and records, discloses or uses the information in the course of performing that same function or power (paragraph 29(2)(ab)).
15. The purpose of this item is to clarify that the exception to section 29 applies to any uses of information for the same function (being either an information commissioner function, freedom of information function, or a privacy function) under the AIC Act for which it was collected. This would allow, for example, information from a Notifiable Data Breach statement to be used in a subsequent investigation into potential Australian Privacy Principle (APP) 11 breaches, as they both fall within the Commissioner’s privacy functions.
Item 8 – Paragraph 29(2)(aa)
16. This item is a technical amendment to re-letter paragraph 29(2)(aa) to paragraph 29(2)(ac), due to the insertion of the new paragraph 29(2)(aa) above.
Privacy Act 1988
Item 9 – Paragraph 5B(3)(b)
17. This item is a technical amendment to reflect that paragraph 5B(3)(b) will be the final paragraph in subsection 5B(3), due to paragraph 5B(3)(c) being removed.
Item 10 – Paragraph 5B(3)(c)
18. This item will remove the requirement in paragraph 5B(3)(c) that an organisation or operator that is not described in subsection 5B(2) must collect or hold personal information in Australia or an external Territory either before or at the time of the act or practice in order to have an Australian link.
19. Currently, foreign organisations must meet obligations under the Privacy Act if the entity has an Australian link. A foreign organisation will have an Australian link if the organisation or operator carries on business in Australia and collects or holds information from a source inside Australia. However, when a breach of the Privacy Act occurs, it may be difficult to establish that these foreign organisations collect or hold personal information from a source in Australia. For example, foreign organisations may collect personal information about Australians but do not collect Australians’ information directly from Australia, and instead collect the information from a digital platform that does not have servers in Australia and may therefore not be considered ‘in Australia’.
20. The purpose of this item is to update the provision to reflect that in the digital era, organisations can use technology such that they do not collect or store information directly from Australia. However, these organisations will often still otherwise be carrying on a business in Australia, and should be required to meet the obligations under the Privacy Act.
21. This mirrors similar provisions in the Australian Consumer Law (ACL). Subsection 5(1) of the Competition and Consumer Act 2010 extends the application of the relevant ACL provisions to conduct by Australian incorporated bodies or those carrying on business in Australia, and Australian citizens or people ordinarily resident within Australia.
Item 11 – Subsection 6(1)
22. This item inserts a definition for the term ‘alternative complaint body’, and sets out that it has the meaning given by subsection 50(1). The term alternative complaint body is used in new section 33A.
23. This item notes that ‘related body corporate’ has the meaning given to it by subsection 6(8), which states that for the purposes of this Act, the question of whether bodies corporate are related to each other is determined in the manner in which that question is determined under the Corporations Act 2001.
Item 12 – Section 13G
24. This item is a technical amendment to allow for the insertion of subsection 13G(2).
Item 13 – Section 13G (penalty)
25. This repeals the penalty in section 13G.
Item 14 – At the end of section 13G
26. This item amends section 13G to increase the civil penalty for a serious or repeated interference with privacy. This will ensure penalties are adequate to protect Australians’ personal information, and promote effective deterrence.
27. An entity will contravene this subsection if the entity does an act, or engages in a practice, that is a serious interference with the privacy of an individual, or the entity repeatedly does an act, or engages in a practice, that is an interference with the privacy of one or more individuals.
28. Subsection 13G(2) sets out the penalty for a serious or repeated interference with privacy by a person other than a body corporate. The item increases the penalty from 2,000 penalty units to $2.5 million.
29. Subsection 13G(3) sets out the penalty for a serious or repeated interference with privacy by a body corporate. The item increases the penalty from 10,000 penalty units to an amount not more than the greater of:
a. $50 million (paragraph 13G(3)(a));
b. three times the value of the benefit the body corporate and any related body corporate obtained from the conduct constituting the serious or repeated interference with privacy if the court can determine this value (paragraph 13G(3)(b)); or
c. 30% of the adjusted turnover of the body corporate, during the breach turnover period for the contravention if the court cannot determine the value of the benefit under paragraph 13G(3)(b) (paragraph 13G(3)(c)).
30. Subsection 13G(4) sets out that subsection 13G(3) applies despite paragraph 82(5)(a) of the Regulatory Powers (Standard Provisions) Act 2014 (Regulatory Powers Act), which states that when determining a pecuniary penalty for a body corporate, the pecuniary penalty must not be more than 5 times the pecuniary penalty specified for the civil penalty provision. This is necessary to sufficiently deter breaches of privacy, particularly for large digital platforms, and ensuring that individuals are adequately protected. By strengthening penalties, Australia will be signalling its expectations that businesses undertake robust privacy and security practices.
31. Subsection 13G(5) sets out what the adjusted turnover of the body corporate will be for the purposes of determining a penalty under paragraph 13G(3)(c). The adjusted turnover will mean the sum of the value of all the supplies made by the body corporate or related bodies corporate in connection with Australia’s indirect tax zone. There are exceptions such as supplies made between related bodies corporate, supplies that are input taxed, supplies that are not for consideration and are not taxable, supplies that are not made in connection with the body corporate’s business, and supplies that are not connected with the indirect tax zone.
32. Subsection 13G(6) clarifies that any expressions used in subsection 13G(5) that are also used in the A New Tax System (Goods and Services Tax) Act 1999 have the same meaning as in that Act.
33. Subsection 13G(7) sets out what the breach turnover period will be for the purposes of determining a penalty under paragraph 13G(3)(c). The breach turnover period provides the formula for determining the period of time over which the adjusted turnover may be valued.
34. The breach turnover period will be the longer of either:
a. The period of contravention. This period will begin at the start of the month in which the contravention occurred, or began occurring. The period will end at the end of the month in which the body corporate ceased the contravention, or proceeding in relation to the contravention were instituted (whichever is earlier).
b. The 12-month period ending at the end of the month in which the body corporate ceased the contravention, or proceeding in relation to the contravention were instituted (whichever is earlier).
35. This will result in the minimum breach turnover period being at least 12 months. The purpose of the breach turnover period is to ensure the quantum of a penalty is linked to the economic impact of the body corporate’s conduct or to the damage caused by its conduct over the relevant period of time.
Item 15 – Subparagraphs 25(1)(a)(i) and 25A(1)(a)(i)
36. This item clarifies that compensation orders under section 25 and other orders to compensate loss or damage under section 25A can be ordered if a civil penalty order has been made under subsection 82(3) of the Regulatory Powers Act against the entity for a contravention of a civil penalty provision of Part IIIA of the Privacy Act (credit reporting). This is a technical amendment to ensure that the new civil penalty in item 38 is not captured.
Item 16 – At the end of section 26WA
37. This item updates the simplified outline of Part IIIC to include a summary of the Commissioner’s new powers to obtain information or documents in relation to actual or suspected eligible data breaches.
Item 17 – Paragraphs 26WK(3)(c) and 26WR(4)(c)
38. This item clarifies that when an entity must prepare a statement for the Commissioner following an eligible data breach under section 26WK or 26WR, the entity must include information about the particular kind or kinds of information as opposed to just the kind or kinds of information.
39. This is necessary to ensure the Commissioner has a comprehensive knowledge of the information compromised in an eligible data breach in order to assess the particular risk of harm to individuals, and whether the recommendations about the steps that individuals should take in response to the eligible data breach outlined in a notification are sufficient.
Item 18 – At the end of Part IIIC
40. This item adds in the new section 26WU, which provides the Commissioner with information gathering powers in relation to actual or suspected eligible data breaches.
41. This is necessary to ensure the Commissioner has a comprehensive knowledge of the information compromised in an actual or suspected eligible data breach in order to assess the particular risk of harm to individuals. For example, additional information may assist the Commissioner in determining whether to issue a notification under section 26WR to direct an entity to notify the Commissioner and affected individuals about an eligible data breach.
42. Subsection 26WU(1) provides that section 26WU applies if the Commissioner has reason to believe that a person or entity has information or documents or can answer questions in relation to relevant matters, being an actual or suspected eligible data breach of an entity, or an entity’s compliance with notification requirements. Subsection 26WU(2) provides a list of non-exhaustive factors that the Commissioner may consider to be relevant matters.
43. Subsection 26WU(3) provides that the Commissioner may, by written notice, require a person or entity to give information, produce a document or answer questions of a kind specified in the notice. Subsection 26WU(4) outlines the procedural requirements of the notice, being that the Commissioner must state the place and time which the information, document or answers must be provided. Note 1 in subsection 26WU(3) clarifies that section 66 contains the penalties for failure to give information.
44. Subsection 26WU(5) outlines how the Commissioner must handle documents produced. The Commissioner may take possession of and make copies of the documents, or take extracts from the documents. The Commissioner may retain the documents for any period that is necessary for assessing an entity’s compliance with the notification requirements, and during this time must permit a person who is entitled to inspect the documents.
45. Subsection 26WU(6) provides that the Commissioner must not exercise this power where the Attorney-General has furnished to the Commissioner a certificate under section 70 certifying that the giving to the Commissioner of information concerning a specified matter, or the production to the Commissioner of a specified document or other record, would be contrary to the public interest.
46. Subsection 26WU(7) ensures that if a person or entity complies with a notice, they will not be liable to a penalty under the provisions of any other Commonwealth law because they gave information, produced a document or answered a question.
Item 19 – Division 3 of Part IV (heading)
47. This item repeals the heading and substitutes it to read ‘Division 3 – Reports and information sharing by Commissioner’. This is to reflect the Commissioner’s new information sharing powers.
Item 20 – At the end of Division 3 of Part IV
Section 33A – Commissioner may share information with other authorities
48. Section 33A sets out the Commissioner’s power to share information (including personal information) or documents with a receiving body for the purpose of the Commissioner or the receiving body exercising powers, or performing functions or duties. The purpose of this section is to ensure the Commissioner is able to transfer a complaint to a receiving body, and also share information for the purposes of the Commissioner or the receiving body exercising their powers, or performing their functions and duties. This may occur when, for example, the Commissioner is holding information that relates to both an investigation under the Privacy Act, and under the receiving body’s framework. Section 33A is an authorisation by law for the purposes of APP 6.2(b).
49. Subsection 33A(2) sets out that an enforcement body (as defined in subsection 6(1)), an alternative complaint body (as defined in subsection 50(1)), a State or Territory authority or an authority of the government of a foreign country that has privacy functions will be a receiving body, and can therefore receive information and documents under subsection 33A(1).
50. The Commissioner’s ability to share information is subject to the safeguards in subsections 33A(3) to (5).
51. Subsection 33A(3) provides that the Commissioner may only share information or documents with a receiving body if the information or documents were acquired by the Commissioner in the course of exercising powers, or performing functions or duties under the Privacy Act, and the Commissioner is satisfied on reasonable grounds that the receiving body has satisfactory arrangements in place for protecting the information or documents. This safeguard is based on the information sharing arrangements in Part VIIIA.
52. Subsection 33A(4) provides that if the Commissioner acquired the information or documents from an agency, the Commissioner may only share the information or documents with a receiving body under this section if the receiving body is an agency. The term ‘agency’ is defined in subsection 6(1). The purpose of this section is to ensure that where information or documents are obtained from an Australian Government agency, the Commissioner would only be able to share those documents with another Australian Government agency (and not a State or Territory authority, or foreign body).
53. Subsection 33A(5) provides that the receiving body may only use the information for the purposes for which it was shared. The purpose of this provision is to clarify that a receiving body must only use information shared under subsection 33A(1) to the extent that they are a receiving body and only for the purposes of exercising powers, performing functions or duties as that receiving body.
54. Subsection 33A(6) makes it clear that the Commissioner is not required to transfer a complaint or part of a complaint to share information or documents with a receiving body.
Section 33B – Commissioner may disclose certain information if in the public interest
55. Subsection 33B(1) sets out the Commissioner’s power to disclose certain information (including personal information) acquired in the course of the Commissioner exercising powers or performing functions or duties under the Privacy Act if the Commissioner is satisfied the disclosure is in the public interest. The purpose of subsection 33B(1) is to empower the Commissioner to disclose or publish information relating to privacy and personal information, for example information about an ongoing investigation on the OAIC’s website. This will ensure Australians are informed about privacy issues and to reassure the community that the OAIC is discharging its duties. Section 33B is an authorisation by law for the purposes of APP 6.2(b).
56. Paragraph 33B(2)(a) sets out that, when determining whether a disclosure is in the public interest, the Commissioner must have regard to the rights and interests of any complainant or respondent; whether the disclosure will or is likely to prejudice any investigation the Commissioner is undertaking; whether the disclosure will or is likely to disclose the personal information of any person; whether the disclosure will or is likely to disclose any confidential commercial information; and whether the Commissioner reasonably believes that the disclosure would be likely to prejudice one or more enforcement related activities conducted by or on behalf of an enforcement body.
57. Paragraph 33B(2)(b) sets out that the Commissioner may also have regard to any other matter the Commissioner considers relevant when determining if a disclosure is in the public interest. For example, the Commissioner may have regard to any consultation with affected entities, and any actions affected entities have taken (such as where the entity has already notified individuals).
58. Subsection 33B(3) clarifies that section 33B does not limit the Commissioner’s other powers to disclose information.
Item 21 – After paragraph 33C(1)(c)
59. Paragraph 33C(1)(ca) sets out that the Commissioner may conduct an assessment relating to the ability of an entity subject to Part IIIC (Notification of eligible data breaches) to comply with that Part. This includes the extent to which the entity has processes and procedures in place to assess suspected eligible data breaches and provide notice of eligible data breaches to the Commissioner and to individuals at risk from such breaches. Under subsection 33C(2), the Commissioner may conduct an assessment in such manner as the Commissioner considers fit.
60. The purpose of paragraph 33C(1)(ca) is to expand the Commissioner’s power to assess an entity’s compliance with the Privacy Act to include Part IIIC. Assessments are an important educative tool, and allow the Commissioner to assess compliance in the absence of a breach of the Privacy Act or a complaint having been made.
Item 22 – At the end of section 33C
61. To assist the Commissioner to conduct assessments, this item will give the Commissioner a new information gathering power for the purposes of conducting an assessment of any kind.
62. Subsection 33C(3) provides that the Commissioner may, by written notice, require an entity or file number recipient to produce information or a document that is relevant to the Commissioner undertaking an assessment of that entity or file number recipient under section 33C. Subsection 33C(4) outlines the procedural requirements of the notice, being that the information or document must be produced within the period specified in the written notice, which must not be less than 14 days after the notice is given to the entity or file number recipient. Note 1 in subsection 33C(3) clarifies that section 66 contains the penalties for failure to give information.
63. The purpose of subsection 33C(3) is to ensure entities cooperate with an assessment by providing the relevant information and documents the Commissioner needs to undertake an assessment. This will ensure that assessments are thorough, and not limited to information that is publicly available.
64. Subsections 33C(4) to (5) contain safeguards to the Commissioner’s power to give a notice under subsection 33C(3). Subsection 33C(4) sets out that the Commissioner must not give a notice unless the Commissioner is satisfied that it is reasonable in the circumstances to do so, having regard to the public interest, the impact on the entity or file number recipient of complying with the notice, and any other matters the Commissioner considers relevant. Subsection 33C(5) sets out that an enforcement body (as defined in subsection 6(1)) is not required to comply with a notice if the chief executive officer of the enforcement body believes on reasonable grounds that compliance with the notice would be likely to prejudice one or more enforcement related activities conducted by or on behalf of the enforcement body.
65. Subsection 33C(6) provides that the Commissioner must not exercise this power where the Attorney-General has furnished to the Commissioner a certificate under section 70 certifying that the giving to the Commissioner of information concerning a specified matter, or the production to the Commissioner of a specified document or other record, would be contrary to the public interest.
66. Subsection 33C(7) ensures that if a person or entity complies with a notice, they will not be liable to a penalty under the provisions of any other Commonwealth law because they gave information, produced a document or answered a question.
67. Subsection 33C(8) empowers the Commissioner to publish information relating to an assessment on the Commissioner’s website. Subsection 33C(8) is an authorisation by law for the purposes of APP 6.2(b). The purpose of this item is to ensure Australians are informed about the Commissioner’s assessments, and are aware of emerging privacy issues.
Item 23 – At the end of subsection 44(1)
68. This item adds Note 1 in subsection 44(1) which clarifies that section 66 contains the penalties for failure to give information.
Item 24 – At the end of subsection 46(4)
69. This item adds Note 1 in subsection 44(1) which clarifies that section 66 contains the penalties for failure to give information.
Item 25 – At the end of subsection 47(1)
70. This item adds Note 1 in subsection 47(1) which clarifies that section 66 contains the penalties for failure to give information.
Item 26 – Subsection 50(1)
71. This item repeals the reference to ‘section’ and substitutes it with ‘Act’ to reflect the reference to other authorities in multiple sections within the Privacy Act.
Item 27 – Subsection 50(1) (after paragraph (b) of the definition of alternative complaint body)
72. This item lists the eSafety Commissioner as an alternative complaint body. This is to ensure the Commissioner is able to transfer complaints and share information with the eSafety Commissioner where permitted under the Act. For example, in the event of overlap between privacy complaints and complaints concerning cyberbullying, cyber abuse and image-based abuse.
Item 28 – Subsection 50(1) (definition of Ombudsman)
73. This item repeals the definition of ombudsman in subsection 50(1), as it is already defined in subsection 6(1).
Item 29 – After subparagraph 52(1)(b)(ii)
74. Subparagraph 52(1)(b)(iia) sets out that after investigating a complaint, the Commissioner may find the complaint substantiated and make a determination that includes a declaration that the respondent must prepare and publish, or otherwise communicate, a statement about the conduct (see section 52A).
Item 30 – After paragraph 52(1A)(b)
75. Paragraph 52(1A)(ba) sets out that after investigating an act or practice of a person or entity under subsection 40(2), the Commissioner may make a determination that includes a declaration that the respondent must prepare and publish, or otherwise communicate, a statement about the conduct (see section 52A).
Item 31 – After subsection 52(1A)
76. Subsection 52(1AAA) complements the Commissioner’s power in subparagraph 52(1)(b)(ia) and paragraph 52(1A)(b) to make a determination that includes a declaration that a respondent must take specified steps to ensure conduct, or an act or practice, constituting an interference with the privacy of an individual is not repeated or continued.
77. Subsection 52(1AAA) provides that the steps specified by the Commissioner may include a requirement for the respondent to engage, in consultation with the Commissioner, a suitably independent and qualified adviser to assist this process. For example, the adviser may review any relevant business practices or processes that contributed to the non‑compliance, or the remediation of the non-compliance. This will help ensure respondents understand what led to the non-compliance, and how to improve practices.
78. The adviser is to review the acts or practices engaged in by the respondent that were the subject of the complaint, the steps (if any) taken by the respondent to ensure that the conduct referred to in the determination is not repeated or continued, and any other matter specified in the declaration that is relevant to those acts or practices, or that complaint (paragraph 52(1AAA)(a)).
79. The Commissioner may include a requirement for the respondent to provide a copy of the review to the Commissioner (paragraph 52(1AAA)(b)).
Item 32 – After subsection 52(5)
80. This item clarifies that the Commissioner has the power to publish a determination made under section 52, which represents a final finding, on the OAIC website. The purpose of this item is to ensure information about the Commissioner’s determinations is publicly available, and the Australian community is aware of emerging privacy issues.
Item 33 – After section 52
81. This item inserts section 52A, which sets out the requirements and processes if the Commissioner makes a determination under section 52 which includes a declaration mentioned in subparagraph 52(1)(b)(iia) or paragraph 52(1A)(ba) that the respondent must prepare a statement, in consultation with the Commissioner, about the conduct that constituted the interference with the privacy of an individual.
82. Subsection 52A(1) sets out that the respondent must within 14 days (or such longer period as the Commissioner allows) prepare the statement, and, if required by the declaration, make the statement publicly available. The purpose of this item is to ensure that individuals are fully notified and aware of entities that have contravened the Privacy Act, in particular individuals who have been affected by the contravention.
83. Paragraph 52A(1)(a) sets out the requirements of the statement. The statement must set out the identity and contact details of the respondent or the agency (if the respondent is the principal executive of an agency), a description of the conduct engaged in by the respondent that constitutes the interference with the privacy of an individual, the steps (if any) undertaken or to be undertaken by the respondent to ensure the conduct is not repeated or continued, and any other information required by the declaration to be included in the statement.
84. Paragraph 52A(1)(b) sets out that, if required by the declaration, the respondent must give a copy of the statement to the complainant or, if the complaint is a representative complaint, to each class member identified as affected by the determination, in the manner specified by the declaration. Paragraph 52A(1)(c) sets out that, if required by the declaration, the respondent must publish, or otherwise communicate, the statement in the manner specified by the declaration (for example, on the respondent’s website). Paragraph 52A(1)(d) sets out that the respondent will be required to provide the Commissioner with evidence, within 14 days after the end of the period specified in the declaration, that the actions required by paragraphs (b) and (c) have been undertaken.
85. Subsection 52A(2) contains a safeguard to the Commissioner’s power to require the respondent to prepare and publish, or otherwise communicate, a statement. Subsection 52A(2) provides that the matters specified by the Commissioner regarding the preparation and publication or communication of the statement must be reasonable and appropriate, for example the Commissioner may consider the size of the entity, the scale of the contravention and the number of individuals affected.
Item 34 – Division 3 of Part V (heading)
86. This item clarifies that the heading for Division 3 of Part V relates to enforcement of determinations only.
Item 35 – At the end of section 55
87. Paragraph 55(d) sets out that if a determination made under section 52 applies in relation to an organisation or small business operator, the organisation or operator must prepare and publish, or otherwise communicate, a statement in accordance with a declaration included in the determination under subparagraph 52(1)(b)(iia), or paragraph 52(1A)(ba) and section 52A.
Item 36 – At the end of section 58
88. Paragraph 58(d) sets out that if a determination made under section 52 applies in relation to an agency, the agency must prepare and publish, or otherwise communicate, a statement in accordance with a declaration included in the determination under subparagraph 52(1)(b)(iia), or paragraph 52(1A)(ba) and section 52A.
Item 37 – At the end of section 59
89. Paragraph 59(d) sets out that if a determination made under section 52 applies in relation to the principal executive of an agency, the principal executive must prepare and publish, or otherwise communicate, a statement in accordance with a declaration included in the determination under subparagraph 52(1)(b)(iia), or paragraph 52(1A)(ba) and section 52A.
Item 38 – Subsection 66(1)
90. This item repeals the criminal penalty in subsection 66(1) for failure to give information, answer a question or produce a document or record when required to do so under the Privacy Act, and substitutes it with a civil penalty for a basic contravention where a person is required to give information, answer a question or produce a document or record under the Act and refuses or fails to do so – for example, under section 44 or subsections 33C(3), 46(4) or 47(1). The penalty is 60 penalty units for a person, and therefore 300 penalty units for a body corporate (applying the multiplier in subsection 82(5) of the Regulatory Powers Act).
91. The purpose of converting subsection 66(1) from a criminal offence to a civil penalty provision is to allow the Commissioner to issue a civil penalty or an infringement notice for minor instances of non-compliance without having to resort to the prosecution of a criminal offence. Infringement notices will provide the Commissioner with a timely, cost-efficient enforcement outcome in relation to minor contraventions of section 66. The infringement notice provision will provide an alternative to litigation of a civil matter. This will enable the Commissioner to resolve privacy complaints and investigations more efficiently.
92. The supplementary infringement notice section is set out in item 44 (section 80UB).
93. Subsection 66(1) is subject to the safeguard in subsection 66(1B), which provides that subsection 66(1) does not apply if the person has a reasonable excuse, as outlined in subsection 66(3).
94. A separate criminal offence is set out in subsection 66(1AA) when a body corporate engages in multiple instances of non‑compliance that constitute a system of conduct or a pattern of behaviour.
Item 39 – After subsection 66(1)
95. Subsection 66(1AA) sets out that a person will commit an offence if the person is a corporation and has engaged in conduct that constitutes a system of conduct or a pattern of behaviour, and the system of conduct or pattern of behaviour results in 2 or more contraventions of subsection 66(1). The penalty for the offence is 300 penalty units. Although this matches the civil penalty units for a basic contravention under subsection 66(1) by a body corporate, conduct regarded as criminal carries a greater stigma and this reflects the more serious nature of an offence under subsection 66(1AA). The purpose of subsection 66(1AA) is to enable the OAIC to refer matters to the Commonwealth Director of Public Prosecutions involving more serious, systemic conduct.
96. Subsection 66(1AA) is subject to the safeguard in subsection 66(1B), which provides that subsection 66(1) does not apply if the person has a reasonable excuse, as outlined in subsection 66(3).
Item 40 – Subsection 66(1B)
97. This item provides that subsection 66(1AA) will not apply if the person has a reasonable excuse, as outlined in subsection 66(3).
Item 41 – Subsection 66(1B) (note)
98. This item repeals the note in subsection 66(1B) and substitutes it with a note that states that if a person relies on subsection 66(1B), which provides that subsection 66(1) does not apply if the person has a reasonable excuse, the person bears the evidential burden. The details of the evidential burden are contained in subsection 13.3(3) of the Criminal Code Act 1995 for a criminal penalty, and section 96 of the Regulatory Powers Act for a civil penalty provision.
Item 42 – Paragraph 67(b)
99. This item clarifies that civil proceedings do not lie against a person in respect of loss, damage or injury of any kind suffered by another person because they made a statement, or gave a document or information, to the Commissioner. The item removes the caveat ‘whether or not pursuant to a requirement under section 44’ to reflect amendments in this Bill, including the Commissioner’s new information gathering powers in relation to actual or suspected eligible data breaches in section 26WU.
Item 43 – Subsection 70(1)
100. Subsection 70(1) currently provides that if the Attorney-General issues a certificate in limited circumstances, the Commissioner cannot require a person to give particular information or produce a document or record to the Commissioner. This item clarifies that subsection 70(1) applies when the Commissioner is exercising a power to require information, document or records under the Privacy Act. For example, it would apply to the new information gathering powers in item 18.
Item 44 – After Division 1 of Part VIB
101. This item inserts the heading Division 1A – Infringement notices.
102. Subsection 80UB(1) provides that the basic contravention for failing to provide information, answer a question or produce a document or record, can be subject to an infringement notice under Part 5 of the Regulatory Powers Act.
103. The purpose of subsection 80UB(1) is to allow an infringement officer to issue an infringement notice instead of seeking a civil penalty for contraventions of subsection 66(1) where a person is required to give information, answer a question, produce a document or record, and the person refuses or fails to do so. This will enable the OAIC to resolve matters more efficiently.
104. Subsection 80UB(2) provides that the Commissioner and a member of the staff of the Commissioner who holds, or is acting in, an office or position that is equivalent to an SES employee will be an infringement officer for the purposes of exercising powers under Part 5 of the Regulatory Powers Act. Subsection 80UB(3) sets out that the Commissioner is the relevant chief executive for the purposes of exercising powers under Part 5 of the Regulatory Powers Act.
105. Subsection 80UB(4) makes it clear that Part 5 of the Regulatory Powers Act extends to every external Territory of Australia.
106. In accordance with subsection 104(2) of the Regulatory Powers Act, the amount to be stated in the infringement notice will be 12 penalty units for a person, and 60 penalty units for bodies corporate.
Item 45 – Application of amendments
107. This item provides the arrangements for how amendments made by Schedule 1 are to be applied.
108. The ACMA will be able to disclose authorised information under subsection 59D(1) of the ACMA Act regardless of whether the information was acquired by the ACMA prior to commencement of this item.
109. The clarification to section 29(2) of the AIC Act applies in relation to information acquired before or after the commencement of this item.
110. The increased penalties under section 13G do not apply in relation to an act done, or a practice engaged in, before the commencement of this item.
111. The requirement for eligible data breach statements to include information about ‘particular’ kinds of information under paragraphs 26WK(3)(c) and 26WR(4)(c) will only apply in relation to statements prepared after the commencement of this item.
112. The Commissioner will be able to give a notice to an entity or person under section 26WU to give information, produce a document or answer questions of a kind specified in the notice regardless of when the actual or suspected eligible data breach occurred or may have occurred.
113. The Commissioner will be able to disclose information or documents under section 33A regardless of whether the information or documents were obtained prior to commencement of this item.
114. The Commissioner will be able to disclose information under section 33B regardless of whether the information was obtained prior to commencement of this item.
115. The Commissioner will be able to give a notice to an entity under section 33C to produce information or documents in relation to an assessment only if the assessment has not yet been started, or has not yet concluded.
116. The Commissioner will be able to make a determination that includes the expanded declaration powers in section 52 if the investigation has not yet been started, or has not yet concluded.
117. The Commissioner will be able to publish a determination made under section 52, regardless of when the determination was made.