March 22, 2023
March 22, 2023

Privacy Act reforms and what they mean for your business

Back to news archive

Significant reforms to Australia’s privacy laws took effect in late 2022, fast-tracked in response to a number of high-profile data breaches. The reforms substantially increase penalties for serious or repeated interferences with privacy and expand the enforcement powers of the Office of the Australian Information Commissioner (OAIC). The 2022 reforms are intended to ensure businesses take privacy obligations seriously, with more extensive reforms expected within the next 12 to 18 months.

Key reforms that took effect in late 2022 include:

1. Increased civil penalties for serious or repeated interferences with privacy

Penalties have been increased significantly for serious or repeated interferences with privacy. Penalties for individuals have been increased from $444,000 to $2.5 million. For bodies corporate, the previous penalty of $2.22 million has been increased to am amount not exceeding the greater of:

  • $50 million;
  • three times the value of the benefit obtained from the conduct constituting the serious or repeated interference with privacy, if the court can determine this value; or
  • if the court cannot determine the value of the benefit, 30% of the body corporate's ‘adjusted turnover’ in the relevant period.

The definition of 'adjusted turnover' is similar to that introduced into the Australian Consumer Law and takes into account the sum of the values of all the supplies that the body corporate and any related body corporate have made or are likely to make during the period, with specified exceptions.

2. Improved enforcement and information sharing powers

The reforms provide the OAIC with enhanced enforcement and information sharing powers. The OAIC can now issue infringement notices for failures to provide information when required, with associated penalties and a criminal offence for systemic failures to provide information.

The OAIC can also:

  • require information in relation to an actual or suspected eligible data breach;
  • share information with other authorities to enable the OAIC or another authority to exercise its powers; and
  • publicly disclose information if it is in the public interest to do so.
3. Expanded extraterritorial application

Overseas businesses are now bound to comply with the Privacy Act 1988 (Cth) if they “carry on business” in Australia. Previously such businesses were also required to collect or hold personal information in Australia before the Act would apply.  This second limb has now been removed.

Outlook for 2023

The 2022 legislative changes were just the start of the Australian’s Government’s planned reform of  privacy laws. The Attorney-General's Department released its Privacy Act Review Report (Report) in February 2023, which proposes expansive reforms to the Privacy Act. Containing 116 recommendations, proposed reforms are aimed at strengthening the protection of personal information and the control individuals have over their information.

Over time reforms are expected to shift the burden from individuals, who are currently required to safeguard their privacy, and place more responsibility on organisations who collect and use personal information to ensure that their practices are fair and reasonable.

Feedback is now being sought to inform the Government’s response to the Report. Submissions are due by 31 March.

Steps to take now

The regulatory and political focus on privacy means 2023 is an ideal time for businesses to review and reset privacy practices. Businesses should review their controls and policies relating to the collection, use, storage and de-identification of personal information in preparation for significant changes in Australia’s privacy regime.  

Businesses should take the time to:

  • understand what data they hold;
  • understand where their data is stored;  
  • de-identify or destroy personal information that is no longer required;
  • review privacy policies and procedures, together with retention policies; and
  • ensure they are adequately prepared to respond to a cyber-attack or data breach, which includes having a well thought out incident response plan.

It is important to note that increased maximum penalties for serious or repeated privacy breaches and strengthened OAIC enforcement powers have already commenced.

Please contact the Sierra Legal Team if you require further information about the privacy changes or assistance with your privacy obligations.

Other articles you may be interested in