Privacy update - 30th November

The costs of having a data breach just increased (officially)

The Privacy Legislation Amendment (Enforcement and other Measures) Bill 2022 (Bill) is now law! The Bill passed both Houses of Parliament and will commence the day after receiving Royal Assent. 

The key impact of the Bill is to increase the maximum civil penalty which relate to ‘serious or repeated breaches of the 13 APPs, or the notifiable data breach scheme. 

Significant increase in penalties for serious data breaches

The Privacy Act 1988 (Cth) (Privacy Act) applies to the handling of personal information by most Australian Government agencies and by private companies, excluding “small” businesses with annual turnover of less than AUD$3 million. 

Before the Bill become law, the maximum civil penalty for “serious or repeated interferences with privacy” was AUD$2.22 million. The Bill outlines a significant increase in penalties. This is broken down as follows:

Under the Bill, the maximum penalty for serious or repeated interferences with privacy will increase to:

For bodies corporate, a cap of the greater of 

• $50 million;

• three times the value of the benefit obtained attributable to the breach;

• or, if the court cannot determine the value of the benefit, 30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention.

This is significantly higher than the previous maximum $2.2 million.

And for unincorporated entities (including individuals, sole traders and partnerships), the penalty will be AUD $2.5 million. This is significantly higher than the previous maximum of AUD $440,000.
 

How do these increased penalties place Australia in relation to other regimes

The proposed maximum penalties are similar in approach to those under Europe’s GDPR, which is widely considered to be the strongest global privacy regime. GDPR includes fines of €20 million, or up to 4% of global revenue, whichever is the greater

With the passing of this Bill, Australia now has some of the most severe maximum financial penalties for data privacy violation in the world with fines for large businesses potentially reaching hundreds of millions of dollars.

Very real costs to a business

While it is important to understand that these new maximum penalties only apply to any breach of the Privacy Act that constitute a “serious or repeated interference with privacy” as per section 13G of the Privacy Act, it is still good to understand what could be ahead if a regulator does ask the court to apply the maximum penalty for a serious or repeated breach.

The maximum penalty could apply to scenarios that involve security incidents or data breaches and breach notifications, but it could also apply to other compliance violations. This includes issues relating to the handling of personal information (including issues relating to transparency, privacy governance, uses and disclosures of personal information or even over-retention of types of sensitive data for a period beyond what is legally necessary.)

A concerning part is the definition of the “breach turnover period” when determining the calculation of the maximum fine. This could be very long in some circumstance – in particular when an issue may have been unknown and has not been detected for some time. An example, is an undetected security vulnerability (which may exist in a legacy system that was supposed to have been decommissioned 5 years ago but was not) could result in a five-year turnover period. Similarly, the retention of records long past their valid retention period (which is a breach of APP 11.2) could see an organisation’s “turnover period” run for the period those records have been held past their appropriate destruction date.

An organisation must also remember that the significant penalties for a breach as outlined above may be in addition to any compensation payment that the Federal Court may direct an organisation to pay if a civil penalty order has been made for a breach of section 13G (serious or repeated interferences with privacy).

The increased penalty regime does not apply to all data breaches. Just because an organisation has suffered a data breach does not mean it has not complied with the Act. In the case of Australian Privacy Principle 11.1 it remains the case that the organisation must have failed to take reasonable steps in the circumstances to secure personal information, in order for there to be a breach of APP 11.1.

These fines are only for serious or repeat conduct. It is widely expected that the further reforms will possibly include a tiered scheme to include lower penalties for less serious conduct.

At the recent IAPP ANZ Summit 22, both the OAIC and the ACCC confirmed that most cases settle before the federal court needs to be asked by the regulator to issue the maximum fines. The usual path that a business will take in the event they have done something deemed to be “serious” or “repeated” in breach of the Privacy Act will be to negotiate compensation payments and other remediation packages and this avoids the regulator needing to ask the court for a fine, let alone the maximum one. The Maximum penalty is merely a guide in the event that a business is particularly stubborn and chooses not to negotiate. 

$50 Million is nothing in the scheme of things 

Recent breaches that have made headlines have also shown marketers that the real penalty they suffer for a breach of the Privacy Act, actually goes far beyond the penalties outlined by the law. The increase in possible regulatory penalties is often the lesser deterrent for a business than the reputational damage a brand can face. Loss of consumer trust, brand reputation, shareholder value are the real cost of a data breach and this ends up costing a business a lot more than $50 million. Regardless of whether a regulator gets you, your customer base will bite back and in the worst case scenario leave you for your competitor. Marketers need to treat the data they collect, manage and hold responsibly because “not becoming a case study”, means so much more than just avoiding a fine.

This is just the beginning 

The Bill is only the beginning of the slated changes to the Privacy Act. Broader Amendments are undoubtedly to follow the conclusion of the AGD’s  review, which is expected to be completed and handed to the Attorney General by the end of the year.

Marketers are at the frontline of data collection, with an important role played in how that data is managed used and disclosed. Make sure that you and your team are across the foundational principles of Privacy and Marketing compliance. It has never been more important to help mitigate the risk to your organisation.