Publication
Financial services monthly wrap-up: October 2024
In October 2024, the Australian Securities and Investments Commission (ASIC) was successful in its action against a life insurer in relation to misleading statements.
Australia | Publication | November 2021
This article was co-authored with India Bennett.
After months of anticipation regarding the ongoing review of the Privacy Act 1988 (Cth), the Federal Government has galvanized the Australian privacy landscape with two significant developments.
Firstly, the Government has released a discussion paper about the reform of the Privacy Act. The discussion paper considers stakeholder feedback on the issues paper released in October 2020 and seeks further feedback on potential changes to the Privacy Act. Public consultation for this discussion paper is open until 10 January 2022. In the coming weeks, we will share with you our insights on the 217 page discussion paper.
Secondly, the Government has released an exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021, otherwise known as the “Online Privacy Bill”. In this article we set out a brief overview of what businesses should be considering in respect of the Online Privacy Bill.
The Online Privacy Bill is intended to give effect to the Federal Government's commitment to strengthen the Privacy Act by increasing penalties and associated enforcement provisions, as well as enabling the introduction of a binding online privacy code for social media and certain other online platforms.
The Online Privacy Bill proposes significantly increased penalties for serious or repeated interferences with privacy under the Privacy Act. For body corporates, the maximum penalty will increase to an amount not exceeding the greater of:
This amounts to an almost five-fold increase from the current maximum penalty of A$2.22 million with regard to the dollar cap and potentially significantly more under the second and third limbs. The proposed penalties are similar to the maximum penalties under the Australian Consumer Law. In comparison, the monetary cap is still much less than the cap under the EU General Data Protection Regulation (GDPR), including the UK version post-Brexit, where the maximum penalty for serious infringements is the greater of €20 million (about A$31 million) or 4% of annual global turnover. However, for businesses with an annual turnover in excess of A$100 million, the 10% turnover cap should not be dismissed lightly.
The increase in the maximum penalty is intended to send a clear message to Australian and foreign entities subject to the Privacy Act that breaches will be treated seriously and are intended to reinforce need for compliance. This risk is further increased by separate proposals to introduce new compliance obligations under the Act and to expand the scope of foreign entities which will be subject to the Act. In order to manage the risks, privacy governance and compliance programs will need to be reviewed, or implemented where they are not already in place.
The Online Privacy Bill also proposes the introduction of a new online privacy code (the OP code) to regulate various categories of organisations which collect and commercialise personal information in course of providing electronic services. Collectively, the organisations will be called OP organisations and they will be required to comply with the OP code.
The OP code is yet to be developed and the government proposes that the OP code be developed by industry within a few months of the Bill becoming law. If industry groups are not able to develop the OP code, the Privacy Commissioner will be empowered to develop the OP code herself. An ambitious timetable has been proposed. The OP code is expected to be commissioned, developed, registered and implemented within 12 months of the Bill becoming law.
The OP code is intended to set out detailed obligations about how OP organisations must comply with the Australian Privacy Principles and how they must also comply with certain additional obligations. By using the OP code as a method of targeted law reform, OP organisations are likely to become subject to detailed and potentially far-reaching obligations. The draft Bill suggests that the OP code must address matters such as:
Some of these requirements are likely to require OP organisations to make substantial investments in new technology, processes and procedures. In particular, OP organisations are likely to need to substantially revise their privacy notices, customer on-boarding processes, and introduce an age verification process and consent management system.
It will therefore be critical for organisations to determine whether the draft Bill, if passed, would apply to them. The government has released an explanatory memorandum with the draft Bill that gives the following examples in respect of each category of OP organisation:
There are some important exemptions:
Public consultation for the exposure draft of the Online Privacy Bill is open until 6 December 2021. The Government will then consider stakeholder feedback and develop a further draft of the Online Privacy Bill to introduce to Parliament.
The proposals under the draft Bill in respect of social media organisations, data brokerage organisations and large online platforms have the potential to create substantial compliance burdens. Combined with the proposed increased penalties, the compliance risks for OP organisations will be higher. We recommend that OP organisations engage with the consultation process and, if the Bill is passed, also participate in the development of the OP code where practicable.
If you would like any assistance with preparing a submission in response to the exposure draft, or otherwise managing your company’s compliance with the Privacy Act, please get in touch with a member of our team.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023