Changes to the Privacy Act are coming

You are currently viewing Changes to the Privacy Act are coming

Privacy is the most interesting area of law in Australia today. Identity data is at the heart of a variety of issues as diverse as national security and e-commerce. And few issues can expose the general public to greater personal risk.

Ongoing Reform

A review of Australia’s data and privacy protection mechanisms has been in place since late-2019. Following the recent massive Optus and Medibank security breaches, the Attorney-General has accelerated matters and tabled proposed changes as follows:

  • A significant increase in the existing penalty regime for repeated or privacy breaches (the current penalty is a little over $2,000,000). Increased penalties would be the greater of:

a. $50,000,000;

b. three times the benefit obtained from the breach (if that benefit can be determined); or

c. 30% of the adjusted turnover of the responsible party during the relevant period;

  • Strengthening the Notifiable Data Breaches Scheme by allowing the Office of the Australian Information Commissioner (OAIC) to request information and conduct compliance assessments;
  • Enhancing the OAIC’s ability to resolve breaches by public announcement or contacting affected persons directly. The OAIC will also be able to compel businesses to conduct external reviews; and
  • New powers permitting the OAIC to share information with other regulatory bodies or third parties.

Other Recent Changes

The above amendments are in addition to recent changes to the Telecommunications Regulations that permit telecommunications carriers to provide identification documents or personal information to banks or other institutions regulated by APRA, such as insurers and superannuation funds. Recipients of information will have to destroy that data once it is no longer required. This approach was employed following the Optus hack.

It’s difficult to protect yourself

One of the striking features of current personal data practices is how difficult it is for consumers to protect themselves. Almost all sophisticated services, as well as a number of retail businesses, request some personal information from their clients. The more an individual discloses, the greater the likelihood that one of the recipients will be hacked. Frighteningly, reported statistics suggest that 40% of Australian businesses experienced a cyber-attack in 2021.

Although the above Government steps are welcome, everyone should be vigilant. Individuals should ensure that that they (and their family members, both young and old) do not share personal information without first independently verifying the recipient.

For legal advice on the Privacy Act or the recent changes, contact us today!