There is no question that one of the most high-profile legal issues at the moment relates to privacy and data control.

Recent privacy breaches have highlighted that Australia's laws may not be as effective as we would like in requiring businesses to take appropriate precautions to prevent the inappropriate release of private information and personal data.

In part, this may be because Australia has a very low penalty regime with respect to privacy breaches. This, and other relevant matters, are currently being considered - and an update to the Privacy Act 1988 ('the Act') has now been drafted and introduced into Parliament.

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 considers some of the core elements referred to in the 2021 Exposure Draft. In particular it increases penalties for data breach. Currently, a corporate entity could be exposed to penalties of up to $2.22 million.

Moving forward, under the new regime, penalties will be the greater of:

  • $50 million;
  • 3 times the value of the benefit obtained by the company; or
  • 30% of the adjusted turnover of the company during the period in which the privacy breach occurred.

Non-corporate entities and individuals will have their penalties raised from $444,000 to $2.5 million.

Other amendments to the Act include an expansion of the test which determines whether a foreign entity has an Australian link - and is therefore required to comply with the Privacy Act 1988. The Office of the Australian Information Commissioner has also been given enhanced enforcement powers in relation to the collection of information, and the conduct of compliance assessments.

There are also new enforcement powers which allow the Commissioner to conduct external reviews and publish notices to affected individuals in relation to specific privacy breaches.

Looking towards the future

It will be interesting to see which of the more radical suggestions arising from the 2021 Discussion Paper will be incorporated into the next round of changes.

These changes would introduce, for example, the ability of individuals to bring action directly against a company that has breached the Australian Privacy Principles, which would create a tort of invasion of privacy that could be applied in instances where there is material inappropriate conduct.

There is also some suggestion of expanding the definition of personal information, and strengthening the requirements for consent.

Whilst these changes are not yet contained in any proposed legislation, with continuing data breaches and high-profile cyber-attacks, the government is very likely to continue looking at strengthening the system.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.