Higher penalties to help protect Australians’ privacy

25 October 2021

Higher penalties outlined in draft legislation released by the Australian Government today will align privacy and consumer law penalties and help address serious privacy risks to the community, the Office of the Australian Information Commissioner (OAIC) said.

Australian Information Commissioner and Privacy Commissioner Angelene Falk welcomed the draft Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 detailing proposed penalties and the scope of a new Online Privacy Code.

“These updates to penalties are needed to bring Australian privacy law into closer alignment with competition and consumer remedies,” Commissioner Falk said.

“We also welcome new information sharing powers, which will facilitate engagement with domestic regulators and our international counterparts to help us perform our regulatory role efficiently and effectively.

“This legislation is an important step towards the OAIC having more of the regulatory tools we need to take a risk-based approach to preventing harm.”

Under the draft bill, the maximum penalty of $2.1 million for serious or repeated breaches of privacy will increase to not more than the greater of $10 million, or three times the value of any benefit obtained through the misuse of information, or 10 per cent of the entity's annual Australian turnover.

The exposure draft includes new code-making powers to enable the development of an Online Privacy Code to regulate social media services, data brokerage services and large online platforms.

The code will be developed by industry and will include requirements for these companies to be more transparent about how they handle personal information and seek specific consent from users. It will also include more stringent privacy requirements for children.

Commissioner Falk said the release of the exposure draft was an important opportunity for interested parties to provide feedback during the consultation period.

“The issues of age verification and parental or guardian consent can be informed by overseas experience and the eSafety Commissioner’s current work in this area,” she said. “As a contribution to this discussion, the OAIC is releasing independent research we commissioned about the privacy risks and harms facing children online.”

Commissioner Falk said the scope of organisations covered by the code was another important aspect of the consultation.

The Attorney-General’s Department has also released a discussion paper for consultation as part of its current review of the Privacy Act 1988.

“The release of the discussion paper is a critical step in ensuring our privacy framework can support fair and reasonable handling of personal information and protect Australians’ data wherever it flows,” Commissioner Falk said.

“It makes a number of proposals to reposition Australia’s privacy law for the next decade to prevent harm to individuals while promoting innovation and supporting our economic success.

“This includes proposed changes to the regulatory framework intended to deliver risk-based and proportionate responses to address existing and emerging privacy issues and minimise harms.”

The OAIC will review the discussion paper and respond as part of the consultation process.