19/12/2022·4 mins to read
Australia strengthens data breach laws with implications for NZ businesses
The Australian Privacy Act 1988 (Australian Privacy Act) has been amended, bringing in significant changes in relation to penalties payable for data breaches and enhanced powers for the Australian regulator.
In this FYI we look at the main changes to the Act, the reasons behind them and how they will impact New Zealand organisations.
Key changes
-
a significant uplift in the maximum penalties that can be imposed for serious or repeated privacy breaches;
-
providing the Australian Information Commissioner with greater powers to ensure compliance with the Australian Privacy Act, including strengthening the powers the Commissioner as in relation to the Australian Notifiable Data Breach Scheme (such as pre-emptively assessing an entity’s compliance with the Scheme even if no breach has occurred); and
-
expanding the extra-territorial scope of the Australian Privacy Act so that a foreign entity can be subject to the Act if it carries on business in Australia, even if it has no local entity in Australia and it does not collect or hold personal information in Australia.
The amendments are expected to come into effect in early 2023.
Background
The Attorney-General’s Department is currently undertaking a comprehensive review of the Australian Privacy Act. However, the current amendments to the privacy breach regime were introduced in October largely in response to recent large-scale privacy breaches in Australia - in particular, the breaches affecting telecommunications provider Optus and, just a matter of weeks later, Medibank, one of Australia’s largest health insurance providers. In introducing the amendments, the Australian government described the existing safeguards as inadequate and unfit for purpose.
Increased penalties
The amendments will increase the maximum penalties that can be applied under the current Australian Privacy Act.
For a person other than a body corporate, the penalty for “serious or repeated” interferences with privacy will be increased to AU$2.5 million - an increase from AU$444,000.
For a body corporate, the maximum penalty will be increased from the current maximum of AU$2.2 million to an amount not exceeding the greater of:
-
AU$50 million;
-
three times the value of the benefit obtained; or
-
30% of the body corporate’s adjusted turnover in the relevant period (if the court cannot determine the value of the benefit).
The hope is that these levels of penalties will incentivise better behaviour in relation to the protection of personal data.
In contrast, under the New Zealand Privacy Act the maximum fine is NZ$10,000 or, if an action is brought before the Human Rights Review Tribunal, the maximum compensation that can be awarded is NZ$350,000.[1]
Enhanced enforcement powers
The Office of the Australian Information Commissioner (OIAC) has also been granted enhanced powers. These include:
-
Expanding the types of declarations that the OIAC can make in a determination at the conclusion of an investigation;
-
Providing the OIAC with new powers to conduct assessments on an entity’s ability to comply with the Australian Privacy Act;
-
Providing the OIAC with new infringement notice powers to penalise entities for failing to provide new information without the need to engage in protracted litigation; and
-
Strengthening the Notifiable Data Breaches Scheme to ensure the OIAC has comprehensive knowledge of the information compromised in an eligible data breach to assess the particular risk of harm to individuals.[2]
Extraterritoriality
The extraterritorial reach of the Australian Privacy Act has also been extended. It will now apply to all foreign organisations that carry on a business in Australia, even if they do not collect or hold personal information in Australia.
What does this mean for New Zealand organisations?
The amendment to the extraterritorial jurisdiction of the Australian Privacy Act means any New Zealand entity that “carries on a business in Australia” will need to comply with it, even if it does not collect or hold personal information about Australians directly from a source in Australia, and the consequences of failing to comply can be significant.
New Zealand entities subject to the Australian Privacy Act could also be subject to compliance assessments by the OAIC and the OAIC’s information gathering requests. It would be prudent for New Zealand business to review and assess their privacy policies and practices to ensure they are compliant with the Australian Privacy Act’s requirements.
The Australian Privacy Act reforms bring its privacy breach enforcement regime closer in line to that under the General Data Protection Regulation (GDPR) that applies across the European Economic Area and seems to be the standard that many jurisdictions are moving towards. The reforms also seem to highlight how far the New Zealand’s regime is falling behind in terms of the levels of penalties that can be incurred. However, this may be offset to some degree by the role that New Zealand’s Office of the Privacy Commissioner plays in assisting and encouraging good privacy practices in New Zealand – whether that be through education and guidance or the exercise of the Commissioner’s powers to undertake own motion investigations and issue compliance notices.
Regardless of the levels of penalties that can be imposed under law, the recent high-profile data breaches, including Optus and Medibank in Australia and Mercury IT here in New Zealand, have highlighted the business disruption and reputational implications that data breaches can have on businesses. It is always good business practice for entities to regularly review their technical and operational security practices to ensure that they are taking appropriate measures to protect the data they hold against data breaches.
If you would like advice on the implications of the legislative changes to your business, please get in touch with one of our contacts.
Special thanks to James Burnett for his assistance in writing this article.