The Australian Federal Government has announced major changes to the Privacy Act 1988 (Cth) (Privacy Act), including additional powers for the Office of the Australian Information Commissioner (OAIC), and tougher penalties for misuse of personal information.
The Attorney-General stated that the Privacy Act required updating in response to the recent boom of online companies trading in personal data. The amendments are intended to protect Australians (especially children) using the Internet, ‘without impeding the continued innovation and development of companies working in the online space.’
The new regime will increase the maximum penalties for misuse of personal information by entities covered by the Privacy Act, from $2.1 million for serious or repeated breaches, to the greatest of:
- $10 million
- three times the value of any benefit obtained through the misuse of information
- 10% of a company’s annual domestic turnover
The updated penalties will bring Australia more in line with the General Data Protection Regulation (GDPR) penalty regime, under which the maximum penalty for a company’s breach of privacy is €20 million or 2% of that company’s annual global turnover.
Personal information is misused if it is used by an APP entity for a purpose that is not permitted by the Privacy Act. Misuse may be deliberate or accidental invasions of privacy; common examples are the collection or disclosure of private information about an individual, without the individual’s consent (as required under the Privacy Act).
The penalties will apply to multinational social media and online platforms operating in Australia, including tech giants Google and Facebook. For some companies, fines under the new laws may exceed $100 million.
The OAIC will be given powers to issue infringement notices for failure to cooperate with efforts to resolve minor breaches. Backed by new penalties of up to $63,000 for companies, or $12,600 for individuals, it is hoped these powers will encourage collaboration and assistance. The Government also intends to provide the OAIC with more options to ensure breaches are addressed, via third-party reviews, and/or publication of notices about specific breaches, in order to ensure individuals who are directly affected are aware of threats to their personal information.
The recently announced 2019 budget includes a $25.1 million increase to the OAIC’s funding over the next three years, to handle the changes and enforce compliance. This is on top of the 2018 $12.9 million increase received by the OAIC in relation to the Consumer Data Right regime.