Data breaches and long-awaited privacy law reform

UPDATE: The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 received Royal Assent on 12 December 2022, with the Act commencing the day after, from 13 December 2022.

On Wednesday 26 October the Federal Government introduced the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Bill) in response to the recent data breaches affecting Optus and Medibank.

The Bill will increase the maximum penalties that can be applied under the Privacy Act 1988 (Cth) (the Privacy Act) for ‘serious’ or ‘repeated’ privacy breaches from $2.22 million to whichever is the greater of:

• $50 million
• three times the value of any benefit obtained through the misuse of information, or
• 30% of a company’s adjusted turnover in the relevant period.

Proposals to increase penalties to protect Australians’ online privacy have previously been welcomed in the Digital Platforms report by the Australian Competition and Consumer Commission (ACCC) and were suggested to mirror penalties for breaches of the Australian Consumer Law (ACL).¹

The increased penalties have been widely reported, however there are other significant amendments within the Bill which should be considered by practitioners and their clients. These provisions seek to strengthen the Notifiable Data Breaches (NDB) scheme and enhance enforcement powers, particularly with respect to foreign organisations.

Empowering the OAIC to conduct assessments of an entity’s compliance with the Notifiable Data Breach scheme

Since its commencement in 2018, the NDB scheme has required that organisations or agencies covered by the Privacy Act (APP entities) initially assess whether there is a risk of harm to an impacted individual and only need to notify the Office of the Australian Information Commissioner (OAIC) and the impacted individual if the breach is likely to result in serious harm which they cannot remediate.

The Bill empowers the commission to conduct an assessment of an entity’s compliance with the Privacy Act’s NDB scheme to “ensure entities are meeting the scheme’s reporting and notification requirements”.²

These compliance powers are coupled with:

• new powers for the commissioner to obtain information or documents in relation to actual or suspect eligible data breaches, and
• provision to allow the commissioner to issue an infringement notice for a failure to give information, answer a question or produce a document or record when required to do so.

These amendments are likely to change how the OAIC engages with organisations and agencies and impact the activities and documentation processes that will need to occur for organisations to manage potential risks under the NBD scheme and the Privacy Act more broadly.

Changes affecting foreign organisations doing business in Australia

Currently foreign organisations must meet obligations under the Privacy Act if the entity has an ‘Australian link’, that is, “if the organisation or operator carries on business in Australia and collects or holds information from a source inside Australia”.³

The Bill will remove the requirement that a foreign organisation must collect or hold personal information directly from a source in Australia in order to have an ‘Australian link’. This means that foreign organisations doing business in Australia will be more likely to be subject to the Privacy Act, including the Australian Privacy Principles and the NDB scheme.

The Explanatory Memorandum (EM) to the Bill states that the purpose of the change is “‘to reflect that in the digital era, organisations can use technology such that they do not collect or store information directly from Australia. However, these organisations will often still otherwise be carrying on a business in Australia”. The EM also notes that the amendments mirror similar provisions in the ACL.⁴

Lastly, enhanced information-sharing powers provide the Office of the Australian Information Commissioner with the power to disclose information or documents to bodies including a foreign privacy regulator.⁵

Other Federal Government responses

In addition to the Bill, the Federal Government has also recommended temporary⁶ amendments to the Telecommunications Regulations, which are a substantive change to data breach and cyber security incident responses within the Telecommunications industry.⁷

These amendments permit telecommunication companies (such us Optus) to share certain personal information of affected individuals with government and regulated financial services entities who request it, for the purposes of preventing or responding to cyber security incidents or malicious cyber activity, fraud, scam activities or identity theft.

APRA-regulated entities are required to follow a specific process in making such requests, including providing written commitments to the ACCC that they will comply with Privacy Act obligations and as to how the personal information will be used.⁸

Resourcing of the OAIC

Queensland Law Society, in consultation with members of the QLS Privacy, Data, Technology and Intellectual Property Committee, has previously submitted that privacy and security issues with respect to personal information are a critical issue requiring strengthened regulatory frameworks. However, strengthened regulatory frameworks must also be supported by well-resourced regulators.

In its 2021-22 Annual Report, the Office of the Australian Information Commissioner (OAIC) said:

“Each year, the OAIC finalises more IC review applications, but without further resources, we continue to face significant challenges. We finalised 1392 IC reviews [Information Commission] in 2021-22, an increase of 37% compared to 2020-21, which followed a 23% increase the previous year.”⁹

Notably, this week’s Budget measures included $5.5 million over two years to the OAIC to respond to the Optus data breach.¹⁰ Funding allocations from the March 2022 Budget have also been confirmed.¹¹ However it remains to be seen whether these allocations will be sufficient to meet existing demands as well as the expanding scope of the OAIC’s remit proposed by the Bill.

National privacy reform

In 2021, the former government consulted on an exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (the exposure draft) which included increased enforcement powers and penalties.¹²

In its submission on the exposure draft, the Law Council of Australia highlighted its concerns with the “fragmentation in the reform process”, submitting that it was “important to maintain the momentum on the pending review of the content of the substantive provisions of the Privacy Act … to avoid uncertainty and unintended consequences”.¹³

Attorney-General Mark Dreyfus KC has indicated that the changes in the Bill would be in addition to any recommendations arising from the long-awaited review of the Privacy Act.¹⁴ It is anticipated that the Review will be completed later this year.

It follows from Queensland Law Society’s and Law Council of Australia’s submissions that, to ensure national consistency and a harmonised privacy framework, any state reforms should be postponed until finalisation of the Privacy Act review, and that the reforms and reviews under consideration be prioritised, alongside consultation on the Bill and sufficient resourcing allocation to ensure national privacy frameworks are clear, appropriately targeted and effective.

What should law firms do?

The enhanced penalties regime will impact not only law practices that are APP entities themselves, but any which supply legal services to regulated clients.

The risk of a weak link in the supply chain will require businesses to carefully consider the security capability of anyone with access to sensitive data for which the business is responsible.

In addition to actual defensive capability, law firms will also need an accurate understanding of their security measures so that client queries can be addressed appropriately.

What’s next?

The Bill has been referred to the Senate Standing Committees on Legal and Constitutional Affairs for detailed consideration. Submissions are open until Monday 7 November. The committee’s report on the Bill is due to be released on Tuesday 22 November.

*The Queensland Law Society Business Advisory Service offers cybersecurity advisory assistance to QLS full members. Members can call 07 3842 5843 or email ethics@qls.com.au the Ethics Centre for a referral.

**If members would like to provide feedback on the Bill to inform a QLS Submission, please send your comments to the QLS Legal Policy team at policy@qls.com.au.

This article appears courtesy of the Queensland Law Society Privacy, Data, Technology and Intellectual Property Committee and has had the benefit of input from its members, along with input from David Bowles, Special Counsel, QLS Ethics and Practice Centre. Kerryn Sampson is a QLS Senior Policy Solicitor.

Footnotes
¹ Australian Competition and Consumer Commission, June 2019, Digital Platforms Inquiry Final Report at pp23-24 and 35; The Government has recently introduced the Treasury Laws Amendment (More Competition, Better Prices) Bill 2022 (Bill) to increase penalties for anti-competitive behaviour.
² 2022, Privacy Legislation Amendment (Enforcement and Other Measures Bill) 2022, Explanatory Memorandum at p5.
³ Ibid at pp12-13.
⁴ Ibid at p13.
⁵ Ibid at p2.
⁶ The sunset provision repeals the amendments 12 months after commencement.
⁷ See Telecommunications Amendment (Disclosure of Information for the Purpose of Cyber Security) Regulations 2022; Joint media release Dr Jim Chalmers MP, Treasurer and Michael Rowland MP, Minister for Communications, 6 October 2022, available at Changes to protect consumers following Optus data breach | Treasury Ministers.
⁸ APRA, 2022, Data breach – Frequently asked questions.
⁹ 28 September 2022, Office of the Australian Information Commissioner, Annual report 2021-22 at p8.
¹⁰ 25 October 2022, Law Council of Australia, Welcome investment in First Nations justice.
¹¹ Office of the Australian Information Commissioner, 26 October 2022, OAIC welcomes additional budget funding.
¹² Australian Government, Attorney-General’s Department, Online Privacy Bill Exposure Draft [Consultation closed 6 December 2021].
¹³ Law Council of Australia, 14 December 2021, response to Online Privacy Bill Exposure Draft.
¹⁴ The review is to consider whether the scope and enforcement mechanisms in the Privacy Act remain fit for purpose and if needed, make recommendations for reform. View the terms of reference.