Australia: Privacy Legislation Amendment Act 2022

Summary

Following a series of high-profile data breaches suffered by Australian entities which left millions of Australians' personal information vulnerable to hackers, the Federal Government passed the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 in December 2022. This Act comprised three main changes in respect of privacy regulation, namely:

• Increasing the maximum penalty for serious or repeated interferences with privacy for body corporates from $2.2 million to the greater of $50 million, three times the value of the benefit obtained attributable to the breach or, if the court cannot determine the value of the benefit, 30% of the entity’s adjusted turnover during the breach turnover period for the contravention;
• Enhancing the OAIC’s information gathering and sharing powers, particularly following a data breach; and
• Extending the jurisdiction of the Privacy Act to capture businesses that ‘carry on business in Australia’, even if they do not collect or hold information in Australia.

How could it be relevant for you?

Businesses that handle personal information now have a greater incentive to ensure that they are compliant with the Privacy Act, given the hefty increase in potential penalties in the event of a breach. Businesses should also be wary of the potential changes to the Privacy Act which may arrive in 2024, as they may vary or impose new obligations on organisations that handle personal information.

Next steps

The Federal Government has signalled that the above amendment is the first in what it is expected to be a series of wide-ranging reforms to the Privacy Act. It was anticipated that a draft bill reforming the Privacy Act would be tabled in Parliament by the end of 2023, but with the Government’s Response indicating extensive further consultation on the proposed reforms, this may not happen until late 2024.

*Information is accurate up to 27 November 2023