Skip to content

Reforms to the Privacy Act 1988 brings significant penalties for serious or repeated privacy breaches

by Tal Williams, Partner, Holman Webb

  • Recent privacy breaches have brought into sharper focus Australia’s low penalty regime to prevent the inappropriate release of private information and personal data.
  • An update to the Privacy Act 1988has now been passed by Parliament.
  • Reforms to the Privacy Act include increasing penalties from $2.22 million to 50 million.

There is no question that one of the most high-profile legal issues at the moment relates to privacy and data control.

Recent privacy breaches have highlighted that Australia’s laws may not be as effective as we would like in requiring businesses to take appropriate precautions to prevent the inappropriate release of private information and personal data.

In part, this may be because Australia has a very low penalty regime with respect to privacy breaches. This is, along with other relevant matters, currently being considered — and an update to the Privacy Act 1988 (‘the Act’) has now been passed by Parliament.

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 considers some of the core elements referred to in the 2021 Exposure Draft. In particular it increases penalties for data breaches.  Currently, a corporate entity could be exposed to penalties of up to $2.22 million.

Moving forward, under the new regime, penalties will be the greater of:

  • $50 million
  • 3 times the value of the benefit obtained by the company; or
  • 30 per cent of the adjusted turnover of the company during the period in which the privacy breach occurred.

Non-corporate entities and individuals will have their penalties raised from $444,000 to $2.5 million.

Other amendments to the Act include an expansion of the test which determines whether a foreign entity has an Australian link — and is therefore required to comply with the Privacy Act 1988.

The Office of the Australian Information Commissioner has also been given enhanced enforcement powers in relation to the collection of information, and the conduct of compliance assessments.

There are also new enforcement powers which allow the Commissioner to conduct external reviews and publish notices to affected individuals in relation to specific privacy breaches.

Looking towards the future

It will be interesting to see which of the more radical suggestions arising from the 2021 Discussion Paper will be incorporated into the next round of changes.

These changes would introduce, for example, the ability of individuals to bring action directly against a company that has breached the Australian Privacy Principles, and may create a tort of invasion of privacy that could be applied in instances where there is material inappropriate conduct.

There is also some suggestion of expanding the definition of personal information, and strengthening the requirements for consent.

Whilst these changes are not yet contained in any legislation, with continuing data breaches and high-profile cyber-attacks, the government is very likely to continue looking at strengthening the system.

Tal Williams can be contacted on (02) 9390 8331 or by email at

Material published in Governance Directions is copyright protected and may not be reproduced without permission. The views expressed therein are those of the author and not of Governance Institute of Australia. All views and opinions are provided as general commentary only and should not be relied upon in place of specific accounting, legal or other professional advice.

Applications open for Governance Institute of Australia’s 2023 Arts Support Program

Next article