Australian Government promises to strengthen enforcement of data privacy laws

The Commonwealth Government announced several proposed changes to the Privacy Act 1988 (the Act) this week, designed to strengthen enforcement of the Act and impose additional requirements on social media platforms. However, given that a federal election is due in May, it is unclear whether the proposed reforms will ever be enacted.

The proposed changes fall into four categories:

      1. Additional funding for the regulator

Under the proposals, the Office of the Australian Information Commissioner (OAIC) will be allocated an additional $8 million per year for the next three years to strengthen its enforcement powers. The additional funding will doubtless be appreciated by OAIC, which saw its workload increase significantly with the introduction of the notifiable data breaches scheme last year.

      2. Additional powers for the regulator

OAIC would also receive additional enforcement powers, including the ability to issue infringement notices. Infringement notices are increasingly used by Australian regulators under a number of laws (such as the ASIC Act and the Spam Act) to impose penalties on businesses for less serious situations that do not warrant court proceedings. An infringement notice is like a “parking ticket”, in that the recipient has the option to pay the fine or challenge the notice in court and risk a more substantial penalty.

      3. Increased civil penalties

The civil penalties which OAIC can impose for breaches of the Act will also be substantially increased. The current maximum penalty of $2.1 million (for a corporation) is already the highest penalty under any Asia-Pacific data protection law, but the proposed changes would increase that maximum penalty to the greater of:

• $10 million;
• three times the value of the benefit obtained from the breach; or
• 10% of the corporation’s annual domestic turnover from the last 12 months.

The proposed changes follow the lead of the European Union’s General Data Protection Regulation (GDPR) in basing penalties on a percentage of a corporation’s annual turnover.

The above three measures are interconnected. OAIC has had the power to impose civil penalties for many years but never done so. With greater resources, OAIC might finally be able to use these powers. In addition, infringement notices provide OAIC with an easier, less resource-intensive way to punish minor contraventions of the Act.

      4. Measures targeting social media

Several proposed changes would also target social media in the wake of the Facebook/Cambridge Analytica scandal:

• individuals would be given a new right to require social media and other online platforms to cease using and disclosing their personal information;
• new rules would be introduced to protect children and other vulnerable groups online; and
• the Government would mandate a code for online platforms, including social media, which trade in personal information. The code would require greater transparency about data sharing and require specific user consent to the disclosure of their personal information.

While the proposed reforms are encouraging, the Government does not propose to enact them until the second half of the year. However, a federal election is due in May. As such, the proposals effectively amount to an early election promise by the current Government. If the Labor Party wins the election (as they are currently favourites to do), it is not clear whether they would follow through with these amendments.

Conclusion

Regardless of whether these specific proposals are ever enacted, it is clear that public concern over data breaches and the activities of social media platforms is increasing support for stricter data protection laws in Australia. Australian businesses can no longer assume that they will not suffer any consequences if they breach the Act.