| Reading time: 3 minutes
In 2022, Optus and Medibank experienced significant data breaches that compromised the personal information of millions of Australians. The breaches resulted in direct and lasting harm including financial losses, identity theft and psychological distress.
The purpose of the New Privacy Laws is to impose stricter regulations on data protection and require organisations to report data breaches to affected individuals and the Office of Australian Information Commissioner (OAIC). Some key takeaways include:
1.Increased penalties
The maximum civil penalty for serious or repeated privacy breaches have increased as follows:
Old penalty |
New penalty |
|
Individual | $444,000 | $2.5million |
Body corporate | $2.2million | The greater of:
(a) $50million; (b) 3 times the value of any benefit derived by the company from the breach; or (c) if the court cannot determine the value of that benefit, 30% of the company’s adjusted turnover in the relevant period. |
2. Removal of the ‘Australian link’
There will no longer be a threshold for foreign entities to hold or collect personal information within Australia. The New Privacy Laws removed this ‘Australian link’ requirement for overseas businesses to comply with the Privacy Act 1988 (Cth) (Privacy Act), making it applicable to all businesses carrying on business in Australia.
This change aims to strengthen privacy protections for Australians and ensure consistency with other domestic legislative frameworks.
3. Strengthened notifiable data breaches scheme
The Notifiable Data Breaches scheme is an Australian law that requires organisations to report eligible data breaches to the OAIC and affected individuals.
The Commissioner now has enhanced information-gathering powers to determine the nature and scope of data breaches, assess the risks to affected individuals, and issue directives for organisations to notify those affected by a data breach.
4. Greater enforcement and information sharing powers
The New Privacy Laws provide the OAIC with greater enforcement and information sharing powers under the Privacy Act and Australian Information Commissioner Act 2010 (Cth), including the ability to:
If your business handles personal information of Australians, it is crucial to review and update your privacy policies and procedures (including data breach response plans) to ensure you are complying with Australian privacy laws. Failure to comply can result in significant financial and reputational damage, so it’s essential to stay informed and take action to protect user privacy. Beware of the Phish.
If you need assistance with privacy compliance to develop or update privacy and data policies and statements for your organisation, the Bespoke team is here to help.