There are significant risk and insurance implications for organisations as changes to Australia’s privacy laws come into effect, as Ben Di Marco and Olivija Radinovic report.
Proposed amendments to Australia’s Privacy Act 1988 (Cth) are likely to be brought forward quickly, with a strong focus placed on providing greater protections for individuals impacted by privacy breaches. Understanding these incoming changes will be a significant component in the way organisations address privacy and their wider data security strategy.
The most immediate privacy enhancements are likely to be drawn from the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 which is currently going through a consultation phase. If passed, this will introduce major changes to the local risk landscape by:
Many of these proposed changes have wide reaching implications which we consider here, together with practical recommendations for Australian organisations on how to navigate these headwinds.
Major increases in financial penalties and regulatory exposures are being contemplated, where organisations significantly interfere with the privacy of individuals. The proposals, as they stand, will considerably raise the financial harms that may arise where Australian organisations adopt poor privacy practices. The proposed changes also focus heavily on large data aggregators and on greater privacy controls for organisations that engage in data brokerage, social media and online marketplaces.
Organisations concerned by greater privacy liability will need to closely examine their cyber liability insurance program, given this provides key coverage to meet the costs of regulatory and third party actions arising from breaches of data privacy law. Careful consideration should also be given to limits and deductible structures, as well as what incident response and remediation supports will help regulated organisations effectively navigate and reduce their privacy exposure. Finally, quantum issues should also be carefully considered, to ensure the amount of any insurance purchased is proportionate and effective.
Effective transparency and consent processes have been identified as a key gap within Australia’s existing privacy laws and drive many of the proposed reforms.1 As technology advances, many Australian’s have expressed the view that privacy laws have struggled to maintain effective protection or 'keep up’ with changes, resulting in individuals’ personal and sensitive information being unnecessarily collected, processed, transferred and compromised.2 This is reflected through the Australian Government’s ongoing commitment to ensuring that individual information is adequately protected in the law.3
The extent of significant data breaches in Australia has also garnered greater media attention since Australia introduced its Notifiable Data Breach Scheme, which requires entities subject to the Act to report data breaches that are likely to result in a risk of serious harm to impacted individuals. In the Office of the Australian Information Commissioner’s (OAIC) July to December 2021 report, there was a 6% increase in notifications with a total of 464 incidents disclosed, and 55% were related to malicious or criminal attacks, and 37% of them were cyber-related incidents.4
The Australian Government has also acknowledged that the growth of social media and online platforms pose new challenges to the protection of individuals’ privacy in the digital age, and that the misuse of Australians’ personal information by social media and online platforms is a key risk to the wider community.
Under the current Privacy Act, the maximum penalty that can be imposed on a regulated entity is $2.1 million for serious or repeated breaches. The Privacy Bill proposes to increase penalties for these offences, to either 2,400 penalty units (or roughly $532,800) for a natural person, and for an organisation, the greater of:
These changes bring the Privacy Act in line with the revised penalty regime introduced into Australian Consumer Law. The OAIC has highlighted the importance of increasing the penalty regime to ensure business activities taken are regulated so entities prevent harm to individuals and that organisations appreciate the seriousness of infringing on an individual’s privacy. It is also proposed these measures will encourage organisations to uplift processes that deal with personal information collection, usage, protection and disclosure.
The Privacy Bill proposes implementation of an Online Privacy Code, targeted at three types of private sector organisations - social media services, data brokage services and large online platforms.6
A social media service is an organisation that:
A data brokage service expands to include any organisation that:
A large online platform is an organisation that:
The explanatory paper outlines the aim to capture those organisations that deal with large amounts of personal information online, with the code requiring organisations to provide timely notice to individuals and obtain voluntary consent when information is being collected, used or disclosed. The Attorney-General has the power to prescribe and exclude named organisations, and there is intended to be a specific exclusion for personal information collected for loyalty programs.7
Acknowledging the high risk posed to children and vulnerable groups online, the code will include strict requirements of the way personal information is used, collected and disclosed ensuring a level of 'reasonableness’ is employed by organisations for these groups.8
The code will encompass a new requirement to cease using or disclosing information where a request is made by the individual data subject, aligning with the policy underpinnings of the right to erasure and ultimately giving individuals greater control over their personal information.9
The reforms will allow the Commissioner to assess an entity’s compliance with the Notifiable Data Breaches Scheme, the Online Privacy Code, and 'any kind’ of compliance with the Privacy Act.10 The Commissioner will hold stronger document compelling powers for assessments, and the power to issue infringement notices to ensure compliance.11
Further, the Commissioner can provide a law enforcement agency, an alternative complaint body, or privacy regulators relevant documents if they suspect an offence has been committed and will be able to decide that an entity must take 'specified steps’ to rectify behaviour or security that led to the interference of privacy.12
The OAIC has emphasised the necessity of Commissioner powers and assessments to determine and recognise potential privacy issues prior to personal or sensitive information being misused or released. Alongside the preventive aspect of assessments, it will require organisations to be diligent in their compliance with the Privacy Act given the possible investigative action that can be taken. Organisations will need to be actively aware of potential privacy breaches and should remediate issues as they appear.
The removal of the Act’s ‘Australian link’ requirement will see a wide range of organisations subject to its provisions.
Following the decision in Facebook Inc v OAIC [2022] FCAFC 9 organisations who source or hold Australians’ data (directly or indirectly) will be subject to the Act. The Privacy Bill proposes to further enforce this, removing the extraterritorial admissibility requirement that information be collected within Australia, to more broadly include any Australian information collected for the purpose of ‘carrying on a business’ 13.
The expansion of the Commissioner’s powers alongside the proposed extraterritorial application will require entities engaging with Australians’ data to be diligent in their mechanisms for protecting personal information and their protocols around data breaches.
As the privacy landscape evolves and expands, organisations that interact with individuals’ data will face greater privacy compliance obligations and heightened demands to protect and manage the personal data they hold. Where poor privacy practices are identified, there will be increased legal risks including greater penalties, third party liability and reputational harm.
Going forward, privacy is likely to become an increasing key risk that organisations must manage, through their internal controls, data governance processes and insurance strategies.
WTW provides a range of services that can examine an entity’s realistic cyber-related threats and the potential privacy and regulatory breaches specific to the entity. Utilising a cyber quantification tool, both network outage and privacy breach liability data can be used to examine realistic incident response expenses and third party liability associated with cyber and privacy events.
Alongside this, WTW offers targeted risk assessments to help an organisation understand what their privacy risks are and develop effective action plans and risk management strategies.
WTW also provides insurability and placement support targeted to an organisation’s specific risk concerns and market-leading cyber and technology risk insurance solutions that address the first and third party expenses arising from privacy and data lost events. If you require support across any of these matters, then please do not hesitate to reach out to the WTW team.
1 Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021, Regulation Impact Statement, p 4-5.
2 https://theconversation.com/83-of-australians-want-tougher-privacy-laws-nows-your-chance-to-tell-the-government-what-you-want-149535#:~:text=In%20the%20Australian%20Privacy%20Commissioner's,in%20a%20time%20of%20crisis.
3 Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021, Regulation Impact Statement, p 3.
4 https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-report-july-december-2021.
5 Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021, Exposure Draft, Section 13G.
6 Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021, Exposure Draft, Section 6W.
7 Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021, Exposure Draft, Explanatory Paper p 8.
8 Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021, Exposure Draft, Section 26KC (6).
9 Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021, Exposure Draft, Explanatory Paper p 10.
10 Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021, Exposure Draft, Explanatory Paper p 20.
11 Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021, Exposure Draft, Explanatory Paper p 19-20.
12 Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021, Exposure Draft, Section 33A, 52(1A)
13 Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021, Exposure Draft, Explanatory Paper p 22.
