Beware of the phish when you surf – recent changes to privacy laws.

| Reading time: 3 minutes

We’ve all heard about it – personal information being leaked into the public domain or perhaps sold to third parties without knowledge or consent. Whilst these occurrences can be catastrophic, we seem to have developed a ‘breach fatigue’ or desensitization as data breaches become more of ‘the norm’.
Protecting your personal information is not as simple as having a 12-character long password with a combination of upper and lowercase letters, numbers and symbols.
It is important to have a cyber-attack prevention plan in place now more than ever. This is because the frequency and sophistication of cyber-attacks have increased, and businesses are collecting and storing more data than ever before, making them attractive targets for hackers.
Australian privacy laws were recently updated and the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, effective from December 2022 has introduced some important changes (New Privacy Laws)

The Australian government hacking through murky waters

In 2022, Optus and Medibank experienced significant data breaches that compromised the personal information of millions of Australians. The breaches resulted in direct and lasting harm including financial losses, identity theft and psychological distress.

Rebooting the Privacy Act

The purpose of the New Privacy Laws is to impose stricter regulations on data protection and require organisations to report data breaches to affected individuals and the Office of Australian Information Commissioner (OAIC). Some key takeaways include:

1.Increased penalties

The maximum civil penalty for serious or repeated privacy breaches have increased as follows:

	Old penalty	New penalty
Individual	$444,000	$2.5million
Body corporate	$2.2million	The greater of: (a) $50million; (b) 3 times the value of any benefit derived by the company from the breach; or (c) if the court cannot determine the value of that benefit, 30% of the company’s adjusted turnover in the relevant period.

Old penalty

New penalty

Individual

$444,000

$2.5million

Body corporate

$2.2million

The greater of:

(a) $50million;

(b) 3 times the value of any benefit derived by the company from the breach; or

(c) if the court cannot determine the value of that benefit, 30% of the company’s adjusted turnover in the relevant period.

2. Removal of the ‘Australian link’

There will no longer be a threshold for foreign entities to hold or collect personal information within Australia. The New Privacy Laws removed this ‘Australian link’ requirement for overseas businesses to comply with the Privacy Act 1988 (Cth) (Privacy Act), making it applicable to all businesses carrying on business in Australia.

This change aims to strengthen privacy protections for Australians and ensure consistency with other domestic legislative frameworks.

3. Strengthened notifiable data breaches scheme

The Notifiable Data Breaches scheme is an Australian law that requires organisations to report eligible data breaches to the OAIC and affected individuals.

The Commissioner now has enhanced information-gathering powers to determine the nature and scope of data breaches, assess the risks to affected individuals, and issue directives for organisations to notify those affected by a data breach.

4. Greater enforcement and information sharing powers

The New Privacy Laws provide the OAIC with greater enforcement and information sharing powers under the Privacy Act and Australian Information Commissioner Act 2010 (Cth), including the ability to:

request entities to provide information and documents to assess actual/suspected data breaches or the entity’s compliance with Australian privacy laws;
engage a qualified independent adviser to examine an entity’s current acts and procedures, the measures taken by the entity to prevent repeated breaches of privacy, and any other relevant issue that the Commissioner considers relevant to the entity’s actions or procedures;
publish a statement about the conduct that constituted the privacy breach, including what the conduct was and what steps the entity has taken to ensure it is not repeated;
share information and documents with other authorities (eg enforcement bodies and privacy regulators), third parties or the general public (if appropriate); and
issue infringement notices and civil penalties for failure to provide information.

Swim between the red and yellow flags

If your business handles personal information of Australians, it is crucial to review and update your privacy policies and procedures (including data breach response plans) to ensure you are complying with Australian privacy laws. Failure to comply can result in significant financial and reputational damage, so it’s essential to stay informed and take action to protect user privacy. Beware of the Phish.

If you need assistance with privacy compliance to develop or update privacy and data policies and statements for your organisation, the Bespoke team is here to help.

Author: Maggie Chow

Lawyer

Maggie is a vibrant, thoughtful and personable lawyer at Bespoke. She works collaboratively with in house counsel and senior management providing practical (Read more)