On 22 October 2022 Australia’s Attorney General, Mark Dreyfus, announced that the federal government would introduce the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (privacy amendments), in response to recent significant data breaches seen across Australia. The draft bill was introduced into parliament on 26 October 2022 and has been fast tracked in light of the recent Optus and Medibank data breaches.
The need to reform Australia’s privacy regime has been a focus at a federal government level for several years, with numerous reviews and committee submissions highlighting that Australia’s current laws do not effectively address how personal data is collected, held and used by businesses, and that Australia’s penalty regime for privacy interferences is not sufficient to deter bad behaviour, nor does it provide an effective recourse for impacted data subjects.
The key changes within the privacy amendments are discussed below.
The privacy amendments will increase the maximum penalties that can be applied under the Privacy Act 1988 (Cth) (the Privacy Act) for ‘serious’ or ‘repeated’ privacy breaches from $2.22 million to whichever is the greater of:
These revisions will more closely align the Privacy Act with the penalties regime in the Australian Consumer Law. The above penalty elements also draw on the approach taken in global privacy regimes such as the EU General Data Protection Regulation (GDPR). Since the GDPR came into effect in May 2018 significant fines have been levied against data aggregators and organisations who fail to manage and protect the personal information they collect.
Some examples of GDPR fines during 2022 include:
The new penalty provisions are likely to have a significant impact on how the Office of the Australian Information Commission (OAIC) enforces the Privacy Act. In recent years the OAIC has had difficulties imposing large penalties, with many of the fines and determinations issued by the OAIC being for amounts of less than $20,000. The OAIC has also favoured enforceable undertakings and private settlements as opposed to formal regulatory action. This approach may already be changing given the most recent federal budget included $5.5 million for the OAIC to conduct its regulatory investigations into the Optus breach.
The new penalty regime will drive expectation on the regulator to actively prosecute major cyber incidents and to impose consequences on organisations who seriously and repeatedly interfere with the privacy of Australian data subjects. This will clearly raise the financial and reputational risk for organisations that fail to manage their privacy and data security obligations.
Organisations concerned by these risks should carefully examine how potential cyber incidents would impact their balance sheet and examine their realistic finances exposures including through cyber risk quantification.
The privacy amendments will also strengthen Australia’s Notifiable Data Breaches scheme to ensure the OAIC has comprehensive knowledge and understanding of information compromised in a breach to assess the risk of harm to individuals and to assess an entity’s compliance with the Notifiable Data Breaches requirements. The OAIC will also be provided with new infringement notice powers to penalise entities for failing to provide information and respond to requests from the regulator.
These amendments will significantly influence how organisations undertake a risk of harm assessment where a suspected eligible data breach has occurred. Under Australia’s Privacy Act, notification to the regulator and impacted individuals is only required if serious harm is likely to arise to any of the individuals to whom the information relates.
The organisation who sustained the data breach initially assesses whether there is a risk of harm and if they determine there is no such risk, the organisation is not required to take further action. This self-assessment approach potentially leads to under-reporting of incidents and can also hamper the OAIC’s ability to properly investigate privacy compliance, particularly where organisations could rely on the limited information gathering powers previously available to the regulator. The new amendments are also likely to create additional work streams and documentation process as organisations assess their obligations under the Notifiable Data Breaches scheme and the Privacy Act.
The privacy amendments also expand on the extraterritorial jurisdiction of the Privacy Act to ensure foreign organisations that carry on a business in Australia must comply with the law, even if they do not collect or hold Australians’ information from a source in Australia.
The privacy amendments will also enhance the OAIC’s ability to share information by disclosing relevant materials or documents to an enforcement body, an alternative complaint body, or a privacy regulator. This reflects the growing trend of regulatory bodies working closely together where major cyber event occurs, given the complex range of legal obligations which can be triggered.
Future amendments are also anticipated as the Attorney-General has advised the government intends to implement any recommendations arising from their ongoing review of the Privacy Act. This is anticipated to occur by the end of the year. These additional amendments are likely to include refinements on how personal information is assessed under the Privacy Act as well as the rights available to data subjects whose personal information have been collected, and the methods used to collect personal information.
A significant challenge for organisations across Australia has been assessing the scope of the Privacy Act and the impacts of potential non-compliance. Historically, the risk of regulatory fines and penalties under the Privacy Act has been low, and in most cases the costs associated with investigations undertaken by the OAIC are limited. This can be contrasted with other forms of regulatory obligations which can have drastic financial and operational exposures for businesses.
The privacy amendments are clearly intended to have a greater deterrence impact, and to ensure that the price of misconduct is high enough to deter poor privacy behaviours to protect the Australian public. This will drive a more active regulatory environment.
Given the drastically increased penalty regime, organisations must also consider the financial consequences resulting from data security incidents. Cyber breaches have become significantly more costly in the last 24 months. The cost of ransomware-based extortion demands have increased year on year, as have the financial costs of triaging and recovering from incidents driven by the amount of work required from expert incident response vendors. Collectively these exposures are causing malicious cyber-attacks to become one of top financial threats for organisations, with WTW’s 2022 Directors' Liability Survey finding that cyber breaches are second highest concern for directors and officers across the globe.
Quantifying and understanding the realistic exposures an organisation faces from cyber and privacy events will also provide key guidance for risk managers and leadership and help organisations obtain confidence in their risk management strategies and the requirements of their insurance programs.
WTW’s cyber and technology risk team are market leading in cyber insurance, cyber risk management and risk quantification. Our team is led by cross functional market leaders, including former chief information security officers, privacy and technology risk lawyers, incident response managers, compliance experts and insurance placement specialists.
We provide powerful cyber risk quantification consulting services including our Cyber Quantified (CQ) Proprietary Tool. CQ is a cyber risk prediction model which runs over 50,000 Monte Carlo (probability) simulations, estimating frequency and severity, and interactively incorporates comprehensive network outage and privacy breach liability data sets to allow organisations to examine how historical record loss and interruption incidents cause both first party and third-party loss. CQ also includes global and regional cost tables to allow the client to perform sensitivity testing to promote a better understanding of how risk and exposure profiles influence insurance drivers.
The incoming privacy amendments are a good opportunity for organisations to re-examine their approach to cyber risk and privacy, and to seek expert advice and quantification support.
WTW specialist cyber quantification support can help clients validate the appropriateness of current insurance programs, as well as support wider risk management and investment strategies. If you would like to discuss the issues arising from the privacy amendments, cyber risk quantification or cyber insurance, do not hesitate to reach out to our expert team.
