Following on from last week’s post, the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 was introduced on 26th October into the Parliament.
The Bill will significantly increase maximum penalties that can be applied under the Privacy Act for serious or repeated privacy breaches from the current $2.22 million to whichever is the greater of:
- $50 million;
- three times the value of any benefit obtained through the misuse of information; or
- 30 per cent of a company’s adjusted turnover in the relevant period.
This will bring the penalties in line with penalties under the Competition and Consumer Act as proposed by the Treasury Laws Amendment (More competition, Better Prices) Bill 2022. It will also bring the law more in line with EU penalties under the GDPR. While penalty provisions for the most serious infringements under the GDPR are framed based on 4% of companies’ global turnover, the proposal under this Bill is 30% of companies’ Australian turnover, on the basis that it will be easier for a court to determine.
The Bill also:
- provides the Australian Information Commissioner with greater powers to resolve privacy breaches;
- makes changes to the Notifiable Data Breaches scheme to ensure the Australian Information Commissioner has comprehensive knowledge of information compromised in a breach, to assess the risk of harm to individuals; and
- provides the Australian Information Commissioner and the Australian Communications and Media Authority with greater information sharing powers.
It doesn’t cover the scope of information that organisations hold and how long they should be able to hold that information – this issue will be dealt with under the broader Privacy Act reforms.
The Bill and EM are available here: https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r6940