Australian Government to increase penalties for privacy violations and expand enforcement powers of the OAIC

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Bill) was announced by the Australian Government on 22 October 2022. The Bill will increase maximum penalties that can be applied against companies under the Privacy Act 1988 (No.119, 1988) (as amended) (the Privacy Act) for serious or repeated privacy breaches from the current AUD2.22 million (approx. EUR1.44 million) penalty to whichever is the greater of:

• AUD50 million (approx. EUR32.3 million);
• three times the value of any benefit obtained through the misuse of information; and
• 30% of a company's adjusted turnover in the relevant period (which will be the longer of either a minimum of 12 months ending when the company ceased the violation or, the actual period of contravention). The adjusted turnover will generally mean the sum of the value of all the supplies made by the company or related bodies corporate in connection with Australia’s indirect tax zone.

The Bill will also provide the Office of Australian Information Commissioner (OAIC) with enhanced enforcement powers, including amending its extra-territorial jurisdiction to ensure that foreign entities doing business in Australia comply with privacy laws, new powers to conduct assessments of data breaches and powers to penalise entities for failure to provide information.

The OAIC’s existing power to require a respondent to take specific steps to stop and remedy the violations is expanded with further rights to require the respondent to engage an independent qualified adviser to assist with this process. The violator may now be required to prepare and publish a statement about the conduct that led to the interference with privacy. A separate criminal penalty can be imposed if a body corporate engages in conduct which constitutes a system of conduct or pattern of behaviour.

The Bill will further:

• strengthen the Australia’s Notifiable Data Breaches scheme to ensure the OAIC has comprehensive knowledge and understanding of data compromised in a breach to assess the risk of harm to individuals; and
• equip the OAIC and the Australian Communications and Media Authority with greater information sharing powers.

The Attorney General highlighted that the Bill is in addition to a comprehensive review of the Privacy Act by the Government to be completed this year.

See here for the Bill, the explanatory note and the legislative file. The press releases of the Australia’s Attorney General are available here and here.