Federal Government Proposes Increasing Penalties For Online Privacy Breaches

Thursday 28 March 2019 @ 11.30 a.m. | IP & Media | Legal Research

In a recent joint Media Release from the Attorney-General, the Hon Christian Porter and the Minister for Communications and the Arts,  the Hon Mitch Fifield, it was revealed that the Federal Government is proposing to introduce a new penalty regime under the Privacy Act 1988 (Cth) (the “Act”) to ensure Australians are protected when using online services, and that major social media companies take action to protect the personal information they collect about Australians, particularly children.

Background to the Proposed Changes

According to SBS News, the proposed changes are in response to a “boom in recent years of online companies trading in personal information.”

Under the proposed changes to be made, online companies, upon request, would be required to stop using or disclosing personal information about individuals.

The Attorney-General said in a Media Release:

"Existing protections and penalties for misuse of Australians' personal information under the Privacy Act fall short of community expectations, particularly as a result of the explosion in major social media and online platforms that trade in personal information over the past decade …"

Minister Fifield also commented on the need to review Australia's cyber laws:

“… it was clear the Australian community enjoyed using social media and technology platforms, but was increasingly concerned about how personal data is captured, analysed and shared. This was particularly the case for children and members of other vulnerable community segments.”

Overview of the Proposed Amendments

It is anticipated the proposed amendments to the Act will:

  • increase penalties for all entities covered by the Act, which includes social media and online platforms operating in Australia, from the current maximum penalty of $2.1 million for serious or repeated breaches to $10 million or three times the value of any benefit obtained through the misuse of information or 10 per cent of a company's annual domestic turnover – whichever is the greater;
  • provide the Office of the Australian Information Commissioner (the “OAIC”) with new infringement notice powers backed by new penalties of up to $63,000 for bodies corporate and $12,600 for individuals for failure to cooperate with efforts to resolve minor breaches;
  • expand other options available to the OAIC to ensure breaches are addressed through third-party reviews, and/or publish prominent notices about specific breaches and ensure those directly affected are advised;
  • require social media and online platforms to stop using or disclosing an individual's personal information upon request; and
  • introduce specific rules to protect the personal information of children and other vulnerable groups.

It is expected that the proposed amendments will provide for a code for social media and online platforms which trade in personal information. The code will require these companies to be more transparent about any data sharing and requiring more specific consent of users when they collect, use and disclose personal information.

Funding to the OAIC will be provided by the Australian Government, with an additional $25 million over three years to give it the resources it needs to investigate and respond to breaches of individuals' privacy and oversee the online privacy rules, it is expected legislation to make the changes will be drafted ahead of community consultation in the second half of 2019.

Effect of Proposed Changes on Tech Companies

SBS News reports companies such as Google and Facebook will be forced to pay larger penalties if they breach the new privacy laws. Social media companies and online platforms that seriously or repeatedly breach privacy laws would be fined $10 million under the reforms, compared to the current penalty of $2.1 million.

Alternatively, they could be charged three times the value of any benefit obtained by misusing information or 10 per cent of their annual domestic turnover, depending on which figure is greatest. For some companies, that could mean paying upwards of $100 million. Online companies would also be required to stop using or disclosing personal information about individuals upon request, under the changes to be made through amendments to the Act.

Comment and Reaction to the Proposed Changes

Speaking to SBS, Opposition Leader Bill Shorten said:

“… protecting people's privacy is among a range of conversations lawmakers need to have with the biggest social media companies.”

Australian Information Commissioner and Privacy Commissioner, Angelene Falk announced in a Media Release:

“…The proposed changes [to the Privacy Act], along with new rules for digital platforms that trade in personal information, are an important step in meeting community expectations that personal information will handled in a way that is transparent and accountable … These changes will strengthen our existing privacy safeguards to help ensure entities operate transparently and handle personal information responsibly.”

TimeBase is an independent, privately owned Australian legal publisher specialising in the online delivery of accurate, comprehensive and innovative legislation research tools including LawOne and unique Point-in-Time Products. Nothing on this website should be construed as legal advice and does not substitute for the advice of competent legal counsel.


Related Articles: