Urgent reform of Australia’s privacy laws: are your cyber security processes robust enough?

January 2023  |  SPOTLIGHT | DATA PRIVACY

Financier Worldwide Magazine

January 2023 Issue

Following major cyber security breaches impacting a number of high-profile Australian corporations including Optus and Medibank in quick succession, the Australian government has introduced urgent reforms to Australian privacy law to increase penalties and enhance enforcement powers. These changes present an opportunity for Australian corporations to reassess their relationship with the personal information they hold.

In September 2022, Optus, Australia’s second largest telecommunications provider, experienced a cyber security breach which is reported to have exposed 9.8 million records containing personal information of current and former customers. Access to these records was gained through an ‘unauthenticated’ or open application programming interface (API), a type of software that allows seamless data exchange between applications. In mid-October, Medibank, Australia’s largest private health insurer, then suffered its own cyber security crisis having the data of 9.7 million of its current and former customers stolen, including sensitive information regarding medical procedures. At the time of writing, Medibank is still navigating a $10m ransom demand from the allegedly Russian-based hackers who have already released sensitive files on the dark web and threaten to release more. Although these two incidents have attracted the most media attention, they are not isolated.

Australians are closely watching the response of the Albanese government as these cyber security incidents give the impression that existing safeguards maintained by corporations are inadequate, which for many is unsurprising in a country which has privacy laws that are comparatively less stringent than those in place in some of its major trading partners overseas. Corporations are considering what these recent events will mean for the Australian privacy law landscape and their businesses moving forward. At its annual general meeting (AGM) on 16 November 2022, Medibank’s chairperson admitted the company’s cyber security was “clearly not robust enough”. Other corporations should be asking whether their own cyber security, data collection and handling processes are fit for purpose now and given the changes that might be coming.

The events have been a clear wake-up call for the Albanese government which has already sprung into action by introducing urgent reforms to Australian privacy laws. On 26 October 2022, less than two months after the start of the Optus breach, the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 was introduced to Australian parliament. The new Bill proposes to amend the Privacy Act 1988 (Cth), the Australian Information Commissioner Act 2010 (Cth) and the Australian Communications and Media Authority Act 2005 (Cth) to increase penalties under the Privacy Act for serious or repeated privacy breaches, provide the Australian Information Commissioner with greater enforcement powers, and provide regulators with greater information sharing powers. The Bill has passed the lower house and the Legal and Constitutional Affairs Legislation Committee was due to publish its report on 22 November 2022, following a round of submissions which closed on 7 November 2022. It is expected the Bill will pass both houses relatively shortly afterward, with there being no opposition to the fact that privacy laws need to be reformed.

Increased penalties

For corporations, the most significant change will be new penalties proposed by the Bill. If the Bill is passed in its current form, it will increase the maximum penalty for corporations from the current AU$2.22m to an amount not exceeding the greater of AU$50m, three times the value of the benefit obtained or, if the court cannot determine the value of the benefit, 30 percent of the corporation’s adjusted turnover in the relevant period. These align to recent changes made to increase penalties for breaches of Australian Consumer Law legislation that is also being used to address privacy breaches in Australia.

According to Mark Dreyfus, Australian attorney general, “setting these penalties at a higher level will accord with Australian community expectations about the importance of protecting their personal data. Further, penalties for privacy breaches cannot be seen as simply the cost of doing business. Entities must be incentivised to have strong cyber and data security safeguards in place to protect Australians.”

Notably, these penalties do not apply to small businesses in Australia with an annual turnover of less than AU$3m which fall outside the application of the Privacy Act, with some exceptions.

Extraterritorial reach

The Bill will also amend the extraterritoriality provisions of the Privacy Act so corporations will be required to meet the obligations under the Privacy Act so long as they ‘carry on a business’ in Australia. This will apply even where foreign corporations do not collect or hold Australians’ information directly from a source in Australia, which is the nexus currently required under the Privacy Act.

There has been significant criticism of this proposed regulatory reform as it extends the application of the Privacy Act to the regulation of information with no direct connection to Australia and it is a change that corporations with operations in Australia will need to watch. It creates a much broader scope of extraterritoriality application than privacy legislation in other jurisdictions including the General Data Protection Regulation (GDPR), which is considered one of the stricter regimes. It also potentially puts Australian laws in conflict with laws in other jurisdictions as a corporation would be required to comply with the Privacy Act for its operations on a global basis simply on account of having business in Australia.

Enhanced enforcement and information sharing

The Bill, in its current form, also gives regulators more power regarding privacy breaches. For example, it provides the Australian Information Commissioner the power to publish notices about specific breaches of privacy, to ensure those directly affected are informed, to compel entities to undertake external reviews, to compel improvement in their practices, and to compel the provision of information. The Commissioner will also have new infringement notice powers.

The Bill provides the Commissioner powers to publish a final determination following a privacy investigation and information about a final assessment report. In addition, the Commissioner will be able to publish information about ongoing privacy investigations, if it is in the public interest.

The Commissioner will also be able to share information with “enforcement bodies, alternative complaint bodies and privacy regulators for the purposes of the Commissioner”. Further, the Australian Communications and Media Authority is provided with more expansive powers to share information within government for enforcement purposes.

Australia has a ‘notifiable data breach’ scheme where affected individuals and the Office of the Australian Information Commission must be notified when a data breach is likely to result in serious harm to an individual whose personal information is involved. The Bill updates this scheme by empowering the Commissioner to assess a corporation’s compliance with the scheme’s requirements and provides the Commissioner with stronger information-gathering powers.

Further reforms

The few measures contained in the Bill are not a complete answer to Australia’s privacy and data protection challenges. They are expected to be the first wave of amendments, with a report to be presented to the attorney general before the end of 2022, following a separate two-year review of the Privacy Act by the attorney general’s department, likely to recommend more reform. It is not yet clear how these reforms will interact with the changes being rushed through by the Bill, as there is overlap between the matters addressed by the Bill and the review.

There is a growing trend globally for multiple regulators becoming involved with questions of personal information handling on behalf of consumers. For example, in Australia, enforcement is now on the Australian Competition and Consumer Commission’s (ACCC) radar having completed its first high profile enforcement action arising out of the ACCC’s 2019 Digital Platforms Inquiry. In August 2022, the Australian Federal Court ordered Google LLC to pay AU$60m in penalties for making misleading representations to consumers about the collection and use of their personal location data on Android phones between January 2017 and December 2018, following court action by the ACCC.

Looking ahead

This current landscape and overhaul of Australian privacy laws presents an opportunity for every corporation which does business in Australia that collects and holds personal information, to reassess its relationship with that data.

Naturally, to avoid the significant regulatory penalties that are to be introduced, it is crucial for corporations to take time now to ensure they are aware of how the personal information they collect and hold is managed and protected throughout the information lifecycle and of the legal obligations that apply to that personal information. Dedicating appropriate budget and board and executive leadership attention to ensuring robust security measures are in place is essential. While cyber security incidents and data breaches are unavoidable in the modern digital age, corporations can control their preparedness and internal practices ahead of such circumstances. Aside from avoiding regulatory penalties, this will help mitigate other sources of damage arising from a data breach, such as financial damage due to investigation and containment, the costs of an external audit, legal bills, the costs of dealing with regulators, fines, communication with and compensation for affected stakeholders, reputation and brand value damage, and damage to customer relationships and share price.

Beyond compliance, some corporations might want to ask themselves if it is time to overhaul their attitude to privacy. Is simply sticking to bare-minimum compliance practices in Australia sustainable? Does this approach align with corporate values, strategic plans and expectations of its customers and other stakeholders? In line with the laws in some other foreign jurisdictions, should a corporation view its relationship with personal information as one of a temporary custodian and stop treating such personal information as its own asset? Australian corporations, particularly those with growth plans to enter lucrative foreign markets, would be well served if they have looked past the minimum requirements under Australian law and have already adopted internationally recognised best practices in data handling and security. It is possible these changes in mindset and corresponding action might create opportunities for competitive advantage and pathways to improve long-term performance.

Ultimately there is benefit to be gained if, as chairperson, you can stand up at your next AGM and confidently say that while your corporation faced a data breach, you were prepared. You complied with privacy laws and had robust international best practices and processes for cyber security in place. There is then little that can tear you down.

 

Mark Vincent is a principal and Nadine Martino is a senior associate at Spruson and Ferguson Lawyers. Mr Vincent can be contacted on +61 2 9393 0100 or by email: mark.vincent@spruson.com. Ms Martino can be contacted on +61 2 9393 0300 or by email: nadine.martino@spruson.com.

© Financier Worldwide

BY

Mark Vincent and Nadine Martino

Spruson and Ferguson Lawyers

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.