2.1
Submitters and witnesses supported stronger protections for the security of personal information, with some describing the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Bill) as long overdue.
2.2
The Law Council of Australia (Law Council) noted that individuals are increasingly required to provide personal and sensitive data to participate in Australia’s digital economy and to access services. However, as the Office of the Australian Information Commissioner (OAIC) highlighted:
…[W]e have seen several recent high-profile data breaches involving the personal information of millions of Australians and the resulting impacts this has had on the community. It is essential that the Australian privacy framework provides the right regulatory tools to enable the OAIC to respond efficiently and effectively to privacy harms emerging through the digital environment and [to] deter non-compliant behaviour.
2.3
CHOICE concurred that the ‘case for strengthening Australia’s privacy laws and regulatory enforcement powers has never been clearer’. While the Business Council of Australia (BCA) agreed on the need to protect Australians’ personal information, it emphasised that businesses operate in an ‘increasingly challenging environment’ where cyber incidents are inevitable:
It will be impossible to prevent all attacks. All frameworks put in place to respond to cyber incidents must recognise this. New attack methods, the discovery of zero-day vulnerabilities, leaking of government cyberattack tools, and sophisticated attackers all make it impossible for businesses to be immune to cyber incidents.
2.4
Submitters and witnesses commented broadly on potential legislative reforms to address transnational cybercrime and to enhance Australian privacy law, as well as the proposals contained in the Bill.
2.5
This chapter examines the following key issues raised in submissions and at the public hearing in relation to the Bill:
the ongoing review of the Privacy Act 1988 (Privacy Act);
the proposed increase to maximum penalties for serious or repeated interferences with privacy;
the proposed expansion of enforcement powers for the Australian Information Commissioner (the Commissioner); and
the proposed information sharing powers for the Commissioner and the Australian Communications and Media Authority (ACMA).
Review of the Privacy Act 1988
2.6
On 30 October 2020, the Attorney-General’s Department (AGD) commenced a review of the Privacy Act (Privacy Act Review), as recommended by the 2019 Digital Platforms Inquiry (Digital Platforms Inquiry).
2.7
The AGD conducted consultations and received numerous submissions on a broad range of potential reforms spanning the scope and application of the Privacy Act. The review is due to be completed shortly, with the report to be presented to the Attorney-General by the end of 2022.
2.8
Several submitters and witnesses engaged with the Privacy Act Review. Business stakeholders especially noted the importance of industry working with government to improve privacy protections and cyber security.
2.9
Some stakeholders commented also on the timing and interaction of the Privacy Act Review and the Bill. The Law Council, while supportive of the Bill, emphasised the importance of a holistic approach to privacy law reform:
[The Law Council] continues to welcome and engage with the holistic review of the Privacy Act, which is being concurrently conducted by the Attorney-General’s Department. The Law Council considers that it will be important to maintain the momentum of this review to avoid uncertainty and unintended consequences created by the fragmented approach to reform, to which the Privacy Bill is contributing.
2.10
A few submitters suggested that it might be preferable to wait for completion of the Privacy Act Review. The Australian Privacy Foundation (APF), for example, submitted:
The APF strongly recommends that any amendments to the Privacy Act only be made as part of the comprehensive reforms that have been under consideration by the Australian government for three years.
2.11
The Law Council and BCA noted the importance of ensuring that all privacy law reforms are consistent. The BCA highlighted also that the Bill would have broader implications than just responding to the recent cyber incidents. For example, increased maximum penalties would apply to ‘the range of relevant offences under the [Privacy] Act, and potentially to any new provisions legislated as part of the Privacy Act Review’.
2.12
In response to these concerns, and consistent with the Attorney-General’s second reading speech, the AGD submitted that the Bill needed to be introduced now to address ‘the more pressing issues arising from recent serious data breaches and cyber incidents’.
2.13
The AGD noted that, once the Privacy Act Review has been completed, a broad range of potential reforms will be recommended to the Australian government:
This review will recommend further reforms to ensure Australia's privacy framework protects the personal information of Australians, supports an innovative economy and responds to the new challenges in the digital age. Broader proposals, including measures to address the amount of personal information that entities are collecting and how they are storing it, are issues that have been raised and considered through this review process, and it's appropriate that these reforms be considered holistically in that process, given the range of complex and interconnected issues and other work across government.
2.14
With respect to momentum, an official noted that ‘the Attorney-General has a real interest in this area and certainly has expectations in terms of this review being finalised so that we can move to that next step’.
Increased maximum penalties for certain interferences with privacy
2.15
The Bill proposes to amend section 13G of the Privacy Act. This section sets out a contravention for a ‘serious interference’ with an individual’s privacy or a ‘repeated’ interference with the privacy of one or more individuals. The Bill would convert this existing provision into subsection 13G(1). The following proposed subsections 13G(2)-(3) would increase the civil penalty for the ‘serious interference’ or ‘repeated’ interference (see paragraph 1.18).
Protecting personal data
2.16
A broad range of stakeholders supported increasing the penalties for serious or repeated interferences with individuals’ privacy. Salinger Privacy, a private consultancy specialising in privacy matters, considered that, at present, corporations are not appropriately respecting or protecting privacy:
It is essential that the regulatory regime in Australia makes the cost of non‑compliance with the Privacy Act more expensive than the cost of compliance. Fines under the Privacy Act should not be seen as simply a cost of doing business. Increasing the penalties available under the Privacy Act will send a strong signal to businesses and other entities around Australia that they must take their legal obligation seriously.
2.17
Professor David Lacey, Managing Director of IDCARE, a specialist support service, considered that the proposed penalties are robust enough to sharpen the focus on data security. He added:
…[F]rom what we're seeing in the environment at the moment, there's perhaps a degree of under-reporting, and that's in the absence of these types of penalties in any case. So we don't necessarily feel as though the increase of penalties or what organisations might be up for will necessarily create that disincentive to report.
2.18
Digital Rights Watch described the proposed penalty increases as ‘an important improvement’ to the ‘woefully inadequate’ fines that are currently provided for in the Privacy Act. In its view, the need to take privacy more seriously is reflected in proposed subsections 13G(2)-(3), and it expressed hope that these might lead to widespread organisational change:
It is our hope that increased penalties will also contribute to changing the culture regarding data gluttony, and compel organisations to consider data lakes containing personal information to be a toxic asset. Too many organisations currently collect and retain far too much personal information for a variety of reasons. Without appropriate disincentives, many organisations consider retaining information to be easier than deletion, or opt to hold onto more data than they need ‘just in case’ there is a use for it later. However, we would emphasise that fines alone are not enough to change this culture of over-collection.
2.19
The Digital Industry Group Inc. (DIGI) added that ‘recent data breach events have underscored the importance of data minimisation’, noting that the Privacy Act Review provides an opportunity to ‘retain and refresh the data minimisation principle’ in the Australian Privacy Principles (APPs).
2.20
In response to the perceived ‘data gluttony’, the BCA reiterated that businesses collect and use data to deliver better, as well as basic and essential, services and experiences for all Australians. It noted also that long-standing legislation and regulation at both federal and state levels continues to compel businesses to collect information:
Many organisations…have long argued that government should pursue reforms that bring the priorities of these various pieces of work into alignment, and harmonise the various regimes governing the use of data in Australia. Despite this, further reforms requiring greater collection of personal information have also been broached, including as part of online safety regimes and electronic surveillance reforms. Existing laws are opaque about whether businesses are required to hold the data necessary to fulfill their obligations. Realistically, to be able to demonstrate compliance and support government priorities, businesses must retain this information.
Compensation for harms
2.21
Some submitters and witnesses commented on the various harms that can result from the inadequate protection of personal data. Dr Katharine Kemp, a legal expert in the fields of competition, consumer protection and data privacy regulation, highlighted that ‘privacy breaches may have open-ended, often‑hidden impacts on an individual’s opportunities, vulnerabilities, financial security and health for years after the breach’.
2.22
Professor Lacey informed the committee:
Around a quarter of the people that engage IDCARE services and speak with our specialist case managers have no idea how their information was actually compromised or stolen, and they have experienced the exploitation of their details by criminals through, for example, the establishment of accounts with financial institutions, accessing of government services and hacking of social media accounts, email accounts or the like. For that cohort in the community, you can imagine the impact that will have on them emotionally but also financially and, going forward, their participation online in other arrangements that they may have in their lives.
2.23
Specifically in respect of the Medibank Private Limited data breach, Professor Lacey highlighted that the harm is not so much about the credential exposure and risk but the release of deeply personal and sensitive information:
Medibank—what its customers are experiencing and what that threat actor is trying to achieve through its information operations and through using the media in the way that it is—is amongst the ugliest breaches we've ever seen…[S]ensitive, personal information has been accessed by a third party that wasn't authorised, and, in some sad and sinister cases, published online. The human cost is a very emotional, psychological and, in some cases, physiological impact. It is not uncommon for us, even beyond the Medibank breach, to have people come to us and say, 'I was physically sick when I found out this happened. I am no longer sleeping. I don't answer the phone.' It has quite a detrimental impact on people's core being.
2.24
Digital Rights Watch submitted that, although the Bill would provide for increased maximum penalties for interferences with privacy, these penalties would not necessarily translate to redress for those individuals harmed by interference(s):
Stronger fines will not get people’s personal information back once it has been compromised. One area where this could be improved is compensation. The current test for compensation is based on harm suffered, yet data breaches such as Optus or Medibank require people to take proactive steps to guard against harm, and they may suffer harm much later and in unexpected ways. The test for compensation needs to change. There is a serious need to give power to individuals to seek redress for the harm they have suffered as a consequence of privacy invasion.
2.25
The Council of Small Business Organisations of Australia (COSBOA) agreed that individuals and small businesses have been significantly harmed by the recent data breaches, yet there is no appropriate compensation available:
An individual who has not been an Optus customer for years has been offered Optus credit rather than a cash reimbursement to cover their losses. This is of absolutely no use to them and is extremely frustrating. Had their data not been retained by Optus after all these years, they would not have had to experience the stress, financial hardship, and consequential losses they have suffered.
Comparative regimes
2.26
The OAIC submitted that proposed subsections 13G(2)-(3) would ‘ensure penalties under the Privacy Act are comparable with those of other domestic and international regulators’. For example, the OAIC, the AGD and Dr Kemp all referenced similar provisions recently introduced into the Competition and Consumer Act 2010 (Consumer Law), in response to the 2019 Digital Platforms Inquiry.
2.27
The Law Council noted that, at the time of the recommendation, the maximum financial penalties available under section 151 of the Consumer Law were much lower. Further:
…[T]he penalties under the Consumer Law that the Privacy Bill seeks to ‘mirror’ are new and untested—they have been subject to limited consultation, and their practical ramifications are currently unknown…[The Law Council is] troubled by the extent to which the Explanatory Memorandum to the Privacy Bill relies on the new penalty regime under the Consumer Law as the primary justification for the proposed changes to section 13G of the Privacy Act.
2.28
The AGD acknowledged that the maximum penalties available under the Consumer Law have increased since 2019 but explained that the rationale underpinning the Digital Platforms Inquiry recommendation remains sound: ‘it highlighted the close links between competition, consumer and privacy laws, and that there was a need to avoid a siloed approach to how we address those’.
2.29
With regard to the international jurisdiction, the AGD referred explicitly to the European Union’s General Data Protection Regulation (GDPR), submitting that the penalty provisions in this privacy framework also provide for significant penalties:
…[T]he European Union’s General Data Protection Regulation has a maximum penalty of €20 million or 4 per cent of a company’s annual global turnover, whichever is higher. This has led to significant fines against large digital platforms, including a €746 million (AUD $1.15 billion) fine against Amazon, €405 million (AUD $626 million) fine against Meta Platforms, €225 million (AUD $348 million) fine against WhatsApp and €90 million (AUD $139 million) fine against Google.
2.30
However, some submitters—such as Dr Kemp and the Australian Banking Association—disagreed that the GDPR penalty regime is comparable to the Bill, as the EU framework notably provides for a system of tiered penalties (see ‘A tiered approach’ below).
2.31
A few submitters cautioned that the effect of proposed subsections 13G(2)-(3) would be limited, as more comprehensive reforms are required to address issues of privacy protection and cybercrime prevention. The Tech Council of Australia highlighted that skills shortages, regulatory gaps, and lack of investment in more secure technology and practices need to be addressed. On the first of these points:
We believe that cyber security skills and talent is an area in need of far greater attention. Australia does not have enough cyber security professionals. In 2021, the vacancy rate for cyber security roles was over double the economy-wide vacancy rate…The skills shortages are concentrated in roles with 3+ years’ experience, and which require University degrees. That means they cannot be solved in the short-term by labour market adjustments or training. If businesses cannot hire experienced cyber security and tech talent, their capacity to prevent and manage incidents is far lower.
2.32
COSBOA commented similarly:
A greater investment from Government in secure technology and practices is required, while also addressing urgent skills shortages, improving cyber skills and awareness, and providing greater resources for education and training in conjunction with new technology solutions…[T]he cost of increased penalties will likely have a flow on effect causing supply chain issues.
2.33
Dr Kemp submitted that, while substantive amendments to obligations, exemptions and definitions in the Privacy Act would provide far greater privacy protections:
…increasing maximum penalties in the short term at least assures organisations that if they do contravene the current relatively weak privacy obligations and do so in a way that amounts to a ‘serious’ or ‘repeated’ interference with privacy which the OAIC manages to prove in the Federal Court, the consequences for the organisation may be severe and not merely a commercial speed bump.
Imposition of the maximum penalties
2.34
Some submitters argued that the maximum penalties set out in proposed subsections 13G(2) and 13G(3) are too high. The Law Council pointed out that regulated entities include smaller organisations and, as noted by the Community Council for Australia, charitable organisations, both of which, they argued, would cease to be viable if penalised under the proposed provisions.
2.35
The Commissioner, Ms Angelene Falk, noted that the penalty provisions apply to a broad range of privacy requirements and are only one of the options available to her:
…the increased amounts would apply in a range of contexts, not only in a data breach context but also where there's a misuse of personal information by an entity, where there has been a secondary disclosure or where there has been a failure to obtain consent and so on…[W]e need to ensure that Australians' personal information is protected from known risks…[W]e know that there are particular risks in our environment at present. One is malicious criminal actors; the other is human error…Because they are known risks, we need to ensure that businesses put in place reasonable steps to prevent them. If they have done so, it will not constitute an interference with privacy, and therefore the issue of applying for a penalty doesn't arise. But, for example, if there has been a failure to mitigate known risks—if there's been a failure, for example, to train staff or to alert them to how to identify phishing emails, or if the information is sensitive and warrants particular protection, such as multifactor authentication, and that's not provided—then they're the situations where I'd be more inclined to investigate a data breach and then consider regulatory options. A civil penalty would be only one regulatory option. The others are seeking an enforceable undertaking for the entity to rectify the problem and ensure it's not repeated; I can also make a determination, which is an administrative decision ordering or declaring that the entity rectify the situation; or, as you say, in more egregious circumstances, I can seek a civil penalty.
2.36
The AGD considered that ‘the penalties that we have in our bill would really only apply to the most egregious breaches’. With respect to smaller organisations, it further noted that most small businesses are currently exempt from the application of the Privacy Act, and the size of the business would also be considered in determining whether it had taken reasonable steps in relation to the security of personal information.
A tiered approach
2.37
Several submitters and witnesses argued that the proposal to increase maximum penalties should adopt a tiered approach, as was put forward in the Discussion Paper released for the Privacy Act Review and/or as is the case under the GDPR.
2.38
COSBOA submitted that a scaled approach to setting and capping maximum penalties would ensure that they are proportionate to the seriousness and frequency of potential breaches. Further:
It is also worthwhile considering a different penalty regime which is dependent on the entity type and ensures appropriate and proportionate penalties are applied to companies, partnerships, microbusinesses and sole traders.
2.39
The Community Council for Australia concurred with this suggestion, submitting that the size of an organisation and the nature of its work should be a relevant consideration: ‘penalties of up to 30% of an organisation’s turnover would break the vast majority of charities and force them to close’. The BCA expressed a similar concern in relation to large businesses due to the size of the proposed maximum penalties.
2.40
Salinger Privacy questioned whether the proposed maximum penalties would have any impact on the non-compliant conduct of most organisations. It explained that there are two significant problems with the current enforcement regime: only ‘serious’ or ‘repeat’ conduct attracts a fine; and the OAIC cannot levy fines directly:
Business from banks to dentists, from real estate agents to app developers, should be motivated to implement good practices due to concern about the likely consequences of not complying with the Privacy Act. So long as the enforcement regime is only for ‘serious’ or ‘repeat’ conduct, and fines can only be levied by the Federal Court, many organisations will continue to ignore their obligations in the hope that the regulator is too overwhelmed to bother taking them to court, and that they could easily defend most conduct as either not serious or not repeat anyway.
We suggest that the perceived likelihood of being penalised is a more powerful motivator than simply the amount of the maximum penalty. Until this limitation is addressed, it will not matter that the top fine is $50M or more; most organisations will not imagine themselves ever being subject to such a penalty, and thus will continue their information handling practices without improvement.
2.41
Salinger Privacy suggested that a more effective, fair and scalable penalty regime would be a tiered approach, with provision for aggravating factors and a need to involve the Federal Court for ‘serious’ or ‘repeat’ interferences only at the maximum penalty level specified in the Bill.
2.42
The Tech Council of Australia agreed that ‘penalties should be proportionately applied’, agreeing that the Bill could be amended to provide for lower maximum penalties for less severe infringements:
for example, the GDPR adopts a tiered approach to maximum penalties, with a smaller maximum penalty for less severe infringements, and larger maximum penalties reserved only for the most severe infringements.
introducing a tiered model would also provide more legal clarity for smaller businesses about their potential risk levels and exposure to the increased penalties.
2.43
In response, the AGD advised that the department is considering a tiered approach to penalties as part of the Privacy Act Review, noting that there is an argument for a mid-tier penalty:
…[T]he Information Commissioner…has a range of regulatory action that she can take. It’s quite a spectrum, so at the very low end she can provide guidance and education; if there's a complaint she can attempt to conciliate; for more serious issues she may decide to make a determination; for a serious or repeated breach of privacy she can pursue a civil penalty. The feedback that we've had through the review to date is that perhaps there's not enough of a spectrum in terms of being able to address the different types of seriousness of privacy breaches that can occur and, in particular, that there's not much in between a determination that the Commissioner can make and when there's a very serious or repeated breach of privacy. One of the ideas that we are considering through the review is whether there should be a mid-tier penalty that could apply for any breach of the Privacy Act.
Safe harbour mechanism
2.44
Several business stakeholders called for the Bill to incorporate a ‘safe harbour mechanism’, whereby entities that take reasonable steps to protect personal information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure, as required by Australian Privacy Principle 11, would not be penalised. The BCA submitted:
…any policy framework and response must clearly differentiate between incidents which occur due to negligent or reckless failure by an entity to take reasonable steps and those where the entity is a victim of sophisticated, targeted, and unprecedented actions by criminal and/or state actors. Duties of entities in this area and the consequences of a breach must be appropriate and proportionate to the actual wrongdoing or failure by the entity and the damage resulting to the entity, its employees, customers, and other stakeholders.
2.45
Similarly, Amazon Web Services submitted:
…civil penalties frameworks should not impose undue hardship on an otherwise responsible entity that already undertakes robust privacy and security practices. Entities should have the opportunity to demonstrate that they have taken appropriate security and organisational measures to protect personal information if an interference occurs, and these factors should be taken into consideration.
2.46
The Australian Privacy Foundation, Electronic Frontiers Australia and Digital Rights Watch did not support the creation of a safe harbour mechanism in relation to the maximum penalties proposed in the Bill. Mr David Vaile, Chair of the Australian Privacy Foundation, said:
In the European and US context it was eventually found that there was no basis for that, and it was used to lower the benchmark and lower the standards of protection for half a billion people in Europe.
2.47
Similarly, Mr Justin Warren, Chair of Electronic Frontiers Australia, stated that ‘often these safe harbour mechanisms are used as a way of avoiding consequences rather than as an incentive towards good behaviour’.
2.48
Ms Rachel Bailes, Head of Policy at the Australian Information Industry Association (AIIA), expressed a different view, however, stating that a properly drafted mechanism would incentivise good behaviour:
A properly drafted safe harbour regime wouldn't act as a hammock or a get-out-of-jail-free card. Rather it's the other side; it's the carrot, the incentive, for organisations to take a good hard look at how their staff, organisational levels and boards are functioning and to leverage fantastic tools, such as the Essential Eight and other cybersecurity frameworks. Rather than that safe harbour being an opportunity to sit back, it's an opportunity to lean forward and have a look at the legislation. Rather than just going, 'We better make sure we never fall victim to a data breach,' it's about being resilient and cybersecure by putting practical steps in place so that you can satisfy that safe harbour.
2.49
Several submitters—such as the Tech Council of Australia and AIIA—contended that businesses need more clarity about the grounds on which the Commissioner might find a regulated entity liable for the imposition of a penalty. The former submitted that this lack of clarity is particularly acute where an entity has been the victim of a cyberattack. It added:
Clarity is not just important for industry certainty, it can also help incentivise good cyber and privacy practices, and encourage disclosure of data breaches which is a positive behaviour that helps keep the community safe by ensuring there is an effective response to incidents as they are unfolding, and by learning from them once they are concluded.
2.50
The Australian Banking Association observed that, at present, there is not even any caselaw on the application of the penalty provision in section 13G of the Privacy Act:
In the current Facebook matter, the Office of the Australian Information Commissioner…has taken a broad interpretation of how civil penalties should be applied for serious and repeated privacy breaches and the penalty sought would far exceed $50 million.
2.51
The AGD acknowledged concerns about the maximum penalties proposed in subsections 13G(2)-(3) but submitted that these penalties will not apply in all circumstances:
Although the Bill proposes to increase the maximum penalties that can apply under the Privacy Act, a court would retain discretion to determine a penalty which is appropriate and proportionate to the seriousness of the misconduct and harm or potential harm. The court may consider factors such as the nature and extent of the contravening conduct, the damage or loss suffered, the size of the contravening entity and whether the entity has previously been found to have engaged in similar conduct.
Legislative terminology
2.52
Some submitters and witnesses highlighted key terms within proposed subsections 13G(1)-(3) of the Privacy Act, which they argued are uncertain, including the terms: ‘benefit’, ‘serious’, ‘repeated’, ‘turnover’ and ‘breach turnover period’.
2.53
Mr Vaile said that ‘there are very few legal precedents in this area, very little court analysis of the meaning of particular provisions, because there is no easy way to get into court’. Reinforcing this point, Ms Samantha Floreani, Program Lead at Digital Rights Watch, pointed out:
…[N]ot a single penalty has been imposed under the Privacy Act since the provision came into effect in 2014. The OAIC has only sought a penalty in one case, against Facebook, which is ongoing.
2.54
The Law Council suggested that the terminology has been inappropriately adopted from the Consumer Law, without regard to the nuances of the privacy regime and the types of harms it seeks to address.
2.55
With respect to the term ‘benefit’, for example, the Law Council argued that the potential ‘benefit’ to a corporation resulting from serious or repeated data mismanagement is not as clear as it might be under the Consumer Law:
…the reference to ‘benefit’, as proposed to be inserted into section 13G of the Privacy Act, will likely need additional discussion and clarity, as it is currently unclear how one would determine the benefit obtained from a breach of the Privacy Act. The Law Council cautions that penalty and benefit calculations may, once formalised, be utilised as loss quantification frameworks in civil claims and class actions. The Law Council accordingly suggests that consideration be given to reframing section 13G to reflect the harm caused by serious privacy infringements, rather than the value of the benefit obtained by the breaching entity.
2.56
The BCA also questioned use of the term ‘benefit’ in the Bill:
These penalties are being introduced in the context of cyberattacks affecting organisations across Australia. But for cyberattacks, the logic of deriving penalties through looking at ‘benefits’ (or, where these can’t be determined, turnover) is nonsensical. The ‘benefits’ an entity derives from being the victim of crime can only be measured in the negative—through lost reputation, customers, revenue, intellectual property, or other assets, and the costs of remediating and mitigating the fallout.
2.57
In evidence, the AGD also discussed how the mechanism in proposed subsection 13G(3) might operate, with particular attention to determining the value of a ‘benefit’. One official explained that there is a difference between a privacy breach and a cyberattack, which the proposed provision is seeking to consider: however, ‘there will be some circumstances where there just isn't a benefit, and that's when the maximum penalty of $50 million will apply’.
2.58
In a similar vein, the Commissioner contemplated a scenario in which there was a malicious hack where the ‘benefit’ to the regulated entity would need to be assessed:
[This] may be difficult to determine…[T]here are likely to be submissions by the entity that's been breached to say that the concept of benefit doesn't arise in the circumstances…in which case the maximum of $50 million may be operable. I need to stress: a court needs to assess the amount of penalty to be provided. It doesn't necessarily flow that $50 million will be what's awarded. Currently, section 13G of the Privacy Act is subject to section 80 of the regulatory powers act, which provides that the court must take account of all relevant matters, including the circumstances of the contravention, the nature and extent of any loss or damage suffered because of the contravention and whether the entity has previously been found to have engaged in similar conduct.
2.59
Ms Kate Pounder, Chief Executive Officer of the Tech Council of Australia, also agreed with the AGD that there are distinctions to be made in the application of the proposed maximum penalties:
When determining the penalties, the questions are: has there been a breach of the act; what is the nature of that breach—is it serious, is it repeated; and did the company take reasonable steps to prevent it? We can see that, where a company has intentionally tried to do the wrong thing, all of those answers may readily flow from each other, but in the case of a malicious hack we have to ask those questions very carefully. Firstly, a company can be the victim of a malicious cyberattack, and we know from the information that the commission is reporting that about two-thirds of the mandatory data breaches they receive are the result of a malicious hack. The company may not have actually breached the Privacy Act when that attack has occurred, firstly because cyber incidents don't necessarily result in a data breach and secondly because the data breach itself may not have been a breach of the Privacy Act. It's important not to lose sight of that distinction.
Secondly, when we think about the sophistication of some of the state-based actors or significant criminal syndicates, there can be some very sophisticated types of cyberattacks where a company may well have taken a number of reasonable steps, such as having the right, being legally required to hold the data in the first place or maintaining it securely. They may have very sophisticated systems, security and penetrating testing, or internal cybersecurity teams that are constantly monitoring for either errors or attacks. They may have trained all their staff. They may have detected an incident very quickly and instantly notified authorities and started cooperating with them—yet still they may have had a terrible attack. When we question whether there has been a breach of the act—how serious it was, if it was repeated, and whether they took reasonable steps—all of those factors are very material. They should, therefore, also be material to the question of the right penalty.
‘Serious interference’ or ‘repeated interference’
2.60
The majority of submitters and witnesses focussed on the terms ‘serious interference’ and ‘repeated’ interference in proposed subsection 13G(1) of the Privacy Act, submitting that this provision should be amended or reconsidered. The Law Council highlighted:
…the terms of ‘serious interference’ and ‘repeated interference’…are not defined, and unlike other sections of the Privacy Act, are not supported by a non-exhaustive list of factors that would give rise to such a contravention.
2.61
DIGI argued that, in view of the substantial penalties proposed under the Bill, what constitutes a serious or repeated interference with privacy must be better defined:
…their scope and application need to be exceedingly clear, and greater clarity will ultimately assist APP entities’ compliance efforts. We are concerned that the Act does not define a 'serious' or 'repeated' interference with privacy, creating uncertainty as to the circumstances in which this civil penalty provision may apply. To provide APP entities with greater clarity as to the potential application of the amended penalty provision, we submit that the Bill be amended to include a definition of both a 'serious' and 'repeated' interference with privacy that covers only the most egregious breaches of the Act.
2.62
The Law Council acknowledged that the OAIC has published guidance, identifying factors and conduct which it would take into account when deciding whether to seek a civil penalty under existing section 13G of the Privacy Act. However, ‘while such guidance material is helpful to providing a degree of clarity, these key threshold terms have not had the benefit of substantive interpretation through case law’.
2.63
Rather than amend the definitions in section 13G, the BCA suggested that greater clarity could be provided by amending section 80U of the Privacy Act, which sets out factors to be taken into consideration when a court determines pecuniary penalties. It argued that the following factors should be included:
Whether a breach was the result of deliberate, reckless, or negligent behaviour on the part of the regulated entity;
Whether a regulated entity was compliant with recognised or prevailing standards for security and had robust privacy frameworks in place;
Whether an entity acted promptly to investigate the matter, sought appropriate expert assistance, and worked in good faith to address harms to citizens; and
Whether an entity disclosed the breach at an appropriate time to mitigate damage to all involved.
2.64
AGD representatives noted that the Bill seeks to amend ‘quantum’ under section 13G of the Privacy Act and does not touch upon the existing terminology of ‘serious interferences’ or ‘repeated’ interferences:
It's not affecting the existing obligations under the act, nor is it affecting the way in which, in cases of serious or repeated breaches where the commissioner is of the view that civil penalties are warranted, she would go to the court to seek those, and it would be a matter for the court to determine, in the circumstances of that case, what would be appropriate.
2.65
In relation to what might constitute ‘serious interferences’ or ‘repeated’ interferences, the AGD acknowledged that the OAIC already provides guidance on these matters but recognised that it would be appropriate for the identified factors to be updated on passage of the Bill. Further:
Another one of the issues that we are considering as part of the Privacy Act review is whether the provision could be made clearer. One of those options might be through guidance. Another idea might be to take the guidance which the OAIC has done and specify those factors in the provision itself. They're all options that we're currently considering.
Enforcement powers
2.66
As noted by the Attorney-General in his second reading speech, the Bill would provide the Commissioner with ‘a suite of improved and new powers to resolve privacy breaches efficiently and effectively’. This section discusses two of the proposed powers and the related issue of OAIC resourcing.
Extraterritorial operation
2.67
Item 10 in the Bill would repeal paragraph 5B(3)(c) of the Privacy Act to remove the requirement for an organisation or small business operator to collect or hold personal information in Australia or an external territory, before or at the time of the act or practice in question, to have an ‘Australian link’.
2.68
Some submitters welcomed this proposal which would extend the operation of the Privacy Act to overseas organisations and small business operators who ‘carry on a business’ in Australia. Electronic Frontiers Australia submitted that ‘it is right and proper that Australians should expect data about them to be kept safe no matter how it came to be in the possession of an organisation’.
2.69
Digital Rights Watch argued that the repeal of paragraph 5B(3)(c) would make the Privacy Act ‘more fit for purpose in the global internet economy’ and ‘make it harder for foreign companies to avoid meeting the requirements of the Privacy Act’.
2.70
Similarly, CHOICE viewed the current provision as ‘an unfair loophole that means some international corporations may be exempt from adhering to critical privacy protections’.
2.71
Some submitters did not, however, support the proposed repeal of paragraph 5B(3)(c). The Law Council expressed its concern that ‘there is no balancing reform that would limit the effect of the Privacy Act to information that has some connection with Australia’. It explained:
…removing paragraph 5B(3)(c), without replacing it with any other provision, may have broader implications and consequences than is intended. Repealing this paragraph would likely not limit the extraterritorial application to personal information ‘from a source in Australia’ as envisaged in the Explanatory Memorandum. Rather, this repeal could have the unintended effect of being applicable to all foreign organisations operating in Australia for all their privacy practices, including those that affect citizens of other nations who do not have any link to Australia, because the amendment would mean that the threshold to satisfy the ‘Australian link’ is that the foreign operation carries on business in Australia.
2.72
Both the BCA and DIGI agreed with this assessment. DIGI commented that ‘it is not clear why Australian laws seek to regulate the management of personal information that has no direct connection with Australia or with Australians’. The BCA added that the proposed provision also ‘risks bringing Australian laws into conflict with requirements made in other jurisdictions’.
2.73
On this point, the Law Council submitted:
…it will be important to understand the scope and impact of the proposed changes and consider the potential for conflicts of laws and unintended legal consequences for sectors that are already regulated, either under their applicable home data protection regimes or industry-specific regulations that authorise and regulate their sphere of operations in Australia.
2.74
The OAIC supported the repeal of paragraph 5B(3)(c) of the Privacy Act, which it considered would, among other things, ‘simplify the requirements around the circumstances in which the Privacy Act extends to an act or practice of an organisation outside Australia’.
2.75
In evidence, the AGD affirmed its view that ‘the nexus that comes from carrying on a business provides a useful nexus’ for the purposes of section 5B of the Privacy Act, adding that this approach is consistent with at least one international jurisdiction:
The focus, if that second limb is removed [in paragraph 5B(3)(c)], is that the nexus in that circumstance would be to demonstrate that the foreign organisation is carrying on a business in Australia. That mirrors the approach taken to foreign organisations in relation to competition and consumer law in Australia, and we know that, while it is framed slightly differently, the New Zealand Privacy Act has a similar way of dealing with that type of extraterritorial provision.
General Data Protection Regulation
2.76
Several submitters did not agree with the OAIC that the proposal would simplify the circumstances in which organisations or small business operators overseas would be subject to Australian privacy law. Many referenced article 3 of the GDPR which deals with extraterritoriality. DIGI summarised the effect of this article, as follows:
…the EU’s regulation…applies to (1) individuals that are EU residents, (2) organisations that are based in the EU, or (3) organisations based outside the EU that monitor the behaviour of EU citizens. This still enables compliance from foreign entities, while still requiring a connection to the EU. This is important as it provides foreign companies with a degree of clarity as to which organisation is the responsible international regulator.
2.77
The Law Council, the Australian Privacy Foundation and Privacy 108 Consulting argued that the Bill should align with the approach adopted by the GDPR. The Law Council considered that this would address its concern with the repeal of paragraph 5B(3)(c), by allowing for the relevant personal information to have some link with Australia for the attachment of Australia’s privacy law.
2.78
While the Law Council suggested that the Bill could alternately be amended to include a balancing limitation, it considered that the extraterritorial operation of the Privacy Act is a matter best considered as part of the Privacy Act Review. In addition:
…[A]lthough it is not a bar to enacting legislative change now, the Law Council notes that the effect of existing subsection 5(3) of the Privacy Act is a significant issue in a current appeal before the High Court of Australia in Facebook Inc v Australian Information Commissioner.
Information gathering powers
2.79
The Notifiable Data Breaches (NDB) scheme requires regulated entities to notify affected individuals and the Commissioner if an entity has reasonable grounds to believe that an ‘eligible data breach’ (as defined in section 26WE) has occurred. A key objective of the scheme is to enhance entities’ accountability for privacy protection.
2.80
Proposed section 26WU of the Privacy Act would give the Commissioner the power to require the giving of information, the production of documents or the answering of questions in relation to actual or suspected ‘eligible data breaches’, or an entity’s compliance with the notification requirements.
2.81
The OAIC submitted that the proposed section would help to inform the Commissioner in the exercise of her functions and powers:
[The information gathering powers] will help to ensure the OAIC has a comprehensive knowledge of the information compromised in a breach, and other relevant facts and circumstances, to assess the particular risk of harm to individuals, and whether the recommendations about the steps that individuals should take in response to the eligible data breach outlined in a notification are sufficient.
2.82
CHOICE supported enabling the Commissioner to access, request and assess a regulated entity’s compliance with the NDB scheme, pointing out that the scheme ‘relies on the discretion of businesses to disclose data breaches and individual harm’.
2.83
However, the BCA considered that the proposed power should be ‘bounded by some form of time-based requirement’, such as expiration of a 30-day assessment period after first notification to the Commissioner of an actual or suspected data breach:
Businesses may not have notified Commissioner as they actively investigate and determine the extent of the breach. Information requests at this time may well be at best a distraction and at worst actually cause the relevant entity to take its focus away from the main objective of securing the breach and protecting data subjects. It is important to ensure that disclosure is well managed and avoids confusion or misinformation. Any regime that is intended to cause early disclosure should be carefully considered when compared with the harm that may occur either to stakeholders as a result, or to the effective investigation into or remediation of the breach itself.
OAIC funding
2.84
Many submitters expressed concern about the proposed expansion of the OAIC’s enforcement powers without a commensurate increase in resourcing. The Law Council argued:
The OAIC must be sufficiently resourced to perform and implement the proposed enhanced enforcement powers, while also discharging its other key statutory functions and activities, including providing information to the public, organisations, and agencies about their rights and obligations under the Privacy Act.
2.85
Similarly, Digital Rights Watch commented on the need for requisite and stable funding, which it argued is fundamental for the OAIC to be a strong and effective regulator:
The additional $5.5 million allocated to the OAIC to investigate the Optus data breach in the most recent budget does not meet the ongoing funding needs of the OAIC. The digital ecosystem and privacy issues that come with it are only increasing in complexity, severity and frequency. The OAIC urgently needs increased funding that is not tied to one specific investigation to be able to meet its growing responsibilities.
2.86
Dr Kemp agreed, submitting:
…an active, properly funded privacy regulator is essential if we are to reduce the scope and frequency of data breaches rather than simply turning to the regulator for the ‘clean-up effort’. While major data breaches obviously dominate recent headlines in Australia, it is also important to remember that many substantial privacy harms are imposed on individuals even where there is no eligible data breach. Australians currently face long delays in having their complaints addressed by the OAIC and some apparently clear and long-standing breaches of the APPs have not been addressed at all.
2.87
The AGD noted the additional funding provided to the OAIC in the Federal Budget 2022-2023, as well as $17 million over two years to support the OAIC in its response to the increasing complexity of privacy complaints, and to undertake effective enforcement action and litigation. Officials further advised:
[AGD is] always carefully looking at the resourcing requirements and the government is mindful of that. We're very conscious that the Privacy Act review could indeed look at the approach and the way in which the office operates and how we can support that, so there will be further consideration there.
2.88
When asked about resourcing levels, the Commissioner stated that the Bill would create efficiencies for the OAIC and does not present additional resources imposts. However, Ms Falk advised:
I am continuing to be in discussions with government around the resourcing requirements of the office into the future, noting the significant issues facing Australian businesses, not only around data breaches but around complexity of information-handling practices.
2.89
With reference to the recent funding to investigate the Optus data breaches (see paragraph 1.12), the Commissioner stated:
…[W]e will always take the regulatory action warranted in the circumstances. On this occasion, I have gone to government, I have sought the funding and it has been provided. I will continue to raise the issue of the need to have access to a funding base that takes account of the need to bring litigation.
Information sharing powers
2.90
The Bill would provide information sharing powers to the OAIC and the ACMA. Some submitters commented on these proposed provisions.
Privacy Act
2.91
Proposed section 33A of the Privacy Act would enable the Commissioner to share information or documents with a ‘receiving body’ (as defined in proposed subsection 33A(2) of the Act) for the purposes of the Commissioner or the ‘receiving body’ exercising their powers or performing their functions or duties.
2.92
Submitters—such as the OAIC and the Australian Federal Police (AFP)—explicitly supported the proposed provision. The AFP considered that proposed section 33A would ‘contribute to better outcomes for affected individuals and entities’, while the OAIC emphasised the benefits of efficient and effective regulatory cooperation:
The Bill will provide clear circumstances in which the Commissioner may share information with other bodies where necessary, including law enforcement bodies, an alternative complaint body and State, Territory or foreign privacy regulators. These measures will help to ensure that duplicative investigation and regulatory responses – both domestically and globally – are avoided and limited resources are directed appropriately.
2.93
The Law Council expressed its concern with the broad power that it argued is subject to limited safeguards:
Beyond the restriction that the information or documents must have been acquired by the Commissioner in the course of exercising powers, or performing functions or duties, under the Privacy Act, the only other condition imposed with respect to the Commissioner’s decision to share this information, per proposed paragraph 33A(3)(b), is that:
…the Commissioner is satisfied on reasonable grounds that the receiving body has satisfactory arrangements in place for protecting the information or documents.
2.94
The BCA agreed that the safeguards in proposed section 33A are insufficient, submitting that affected organisations—and therefore individuals also—will be unaware of the sharing and use of personal information:
…at a minimum, the information sharing powers be amended to require the OAIC to inform the relevant organisation that both the sharing is occurring and for what purpose. This will allow the organisation to provide additional or supporting context to the receiving agency, if needed…The proposed information sharing powers could also create a double jeopardy risk for entities where information is shared between regulators under broadly defined powers. In addition, we are concerned that information gained in one context, when provided to another agency for an associated but perhaps different context, may be incorrectly relied upon.
2.95
Amazon Web Services shared the Law Council and the BCA’s concerns, submitting that proposed section 33A is overly broad, not subject to appropriate safeguards, and may cause significant privacy concerns for organisations and the wider community:
The effect of the powers under section 33A is such that an organisation could share information regarding an eligible data breach with the Commissioner, who may then share that information (including the personal information of Australians) with any “receiving body” for any purpose of the receiving body—including to pursue investigations or matters that are not related to the data breach in question. This could all occur without the consent or knowledge of the organisation, or any affected individuals. It is also concerning that any of this information, especially personal information, may be given to a foreign authority without the consent or knowledge of the organisation or affected individuals.
2.96
The Law Council identified an additional concern with the proposal to allow broader information sharing: there is a significant risk that the regime proposed under proposed section 33A may act as a deterrent for entities that would otherwise pursue early and voluntary engagement with the regulator:
The sharing of information by the Commissioner with other bodies…has the potential to undermine the voluntary aspects of OAIC’s regulatory approach, which may be necessary to mitigate or resolve privacy issues at an early stage. The risk of disincentivising voluntary reporting might be compounded by the indefinite, and potentially expansive list of bodies authorised to receive information…The Law Council suggests consideration be given to amending this provision to provide an exhaustive list of relevant bodies authorised to receive information under the Privacy Act.
Disclosure in the public interest
2.97
Proposed subsection 33B(1) of the Privacy Act would give the Commissioner a discretion to disclose information acquired in the course of exercising powers, or performing functions or duties, under the Act if the Commissioner were satisfied that it is in the public interest to do so. A list of mandatory and discretionary factors that would need to be taken into consideration are set out in proposed subsection 33B(2).
2.98
The OAIC submitting that the proposed provision would provide clear authority for the publication of information, if it is in the public interest. It argued that publication would ensure that Australians are informed about privacy issues and reassured that the OAIC is discharging its duties.
2.99
The BCA expressed its concern with the risk of disclosure prior to completion of an investigation: ‘this is completely contrary to how the OAIC currently conducts investigations and contrary to how most regulators conduct their investigations’. Further, it voiced concerns about the ‘blanket power’ which does not limit the nature of information that can be disclosed:
…[D]isclosed information might include any information supplied to the Commissioner in the course of an investigation, regardless of whether that information is contested as to accuracy, completeness or relevance.
2.100
The BCA submitted that proposed section 33B(1) does not contain sufficient safeguards and, similar to the Law Council’s concerns in relation to information sharing powers, may discourage companies from disclosing matters to the Commissioner, with adverse effect:
There is no requirement of prior consultation with the person or entity that provides the relevant information or to whom the information relates. There is also no requirement for the Commissioner to consider proportionality or to balance benefit to the person or entity that provide the relevant information or to whom the information relates against, merely to “have regard” to the matters proposed [in] section 33B(2). This could lead to situations where the OAIC publishes information that will allow further attacks to be made against an organisation, if the OAIC fails to understand the nature of the information it is releasing. Moreover, disclosing during an investigation information obtained as part of the investigation has the potential to undermine, compromise and delay any such investigation.