Momentum has shifted and privacy reform is on the way
Ask anyone on the street and it’s certain they will either be aware of the recent spate of high-profile cyber-attacks or be a victim of one. I wrote about the attacks in the last News Update.
There’s no denying, we live in a rapidly evolving data landscape, and our current privacy regulations are not keeping pace. In the Australian Privacy Commissioner’s 2020 survey, 83% of Australians said they’d like the government to do more to protect the privacy of their data.
It’s now November 2022, and no regulations have changed.
We need a Privacy Act that is fit for purpose for the digital age. It’s almost unthinkable that the current privacy regulations were designed in 1988.
Collectors of our data need to be aware of the serious risks posed by storing unnecessary but highly sensitive data. What is needed are new regulations that minimise the amount and types of data extracted for commercial purposes as well as a new regulator to vigorously enforce these regulations.
The EU took on the data privacy regulation challenge in 2012. The General Data Protection Regulation (GDPR) is a leading privacy regime.
The previous federal government was aware of the flaws in privacy and data regulations and started a review of the 1988 privacy laws in December 2019 to work out whether they were fit for purpose in the new digital economy.
Unfortunately, COVID-19 and other political priorities got in the way, and the review stretched out to early 2022.
The current regulations are already meant to limit companies to collecting personal information only when necessary and for a given purpose (unless an individual consents or would reasonably expect it to be used for another reason). If companies do keep personal data for a period, they must take reasonable steps to protect it from misuse, hacks or disclosure.
It’s clear however, that these regulations are not strong enough, nor are the associated penalties. There is currently a $2.22 million limit on corporate penalties for breaches. The GDPR regulations have a €20 million or 4% of a firm’s worldwide annual revenue penalty.
Following the recent Optus hack, Katharine Kemp, a senior lecturer at UNSW and one of Australia’s leading experts in privacy law reform, said, ‘A big problem is a lot of companies have quite a self-serving interpretation of the existing privacy principles. They make use of the broad language to generally collect more information, use it for more purposes, and keep it for longer than would be the case if we had stronger privacy laws.’
Kemp continues, said that ‘tightening what information can be collected in the first place’ would also help stop large data thefts.
So where do our privacy laws stand under the new federal government?
The Attorney General, the Hon. Mark Dreyfus MP, tabled the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 on 26 October.
The bill proposes significant increases to the penalties for incorporated entities. Either:
- $50 million
- Three times the value of any benefit obtained through the misuse of information; or
- 30% of a company’s adjusted turnover in the relevant period (i.e., the period of non-compliance with the Privacy Act).
For unincorporated entities (including individuals, sole traders and partnerships), the penalty will increase from the current maximum of AUD$440,000 to AUD$2.5 million.
These are some of the most severe financial penalties for data privacy violation in the world. and the Government has indicated it plans to do more to update our outdated privacy regulatory environment.
The Bill also proposes amendments to the Australian Information Commissioner Act 2010 to provide the Office of the Australian Information Commissioner enhanced enforcement powers.
The final consultation discussion paper for the December 2019 Privacy Act review is due back by the end of this year, and it is anticipated that the long overdue draft legislation for the new privacy regulations will be introduced next year.
While the government has been swift to update the penalties, but the parliamentary backlog is already delaying major pieces of Labor’s legislative agenda and privacy is an area where the public increasingly considers delays are no longer be palatable. Some are suggesting the government might convene an extra December sitting week for the Senate to break through the backlog.