Publication
Proposed changes to Alberta’s Freedom of Information and Protection of Privacy Act
Alberta is set to significantly change the privacy landscape for the public sector for the first time in 20 years.
Australia | Publication | October 2022
Major privacy law reform in Australia gathered pace this week, with newly tabled legislation proposing to significantly increase penalties for privacy breaches, among other reforms.
In preparation for these reforms, companies that collect and process personal information should be asking the following questions:
Asking these five key questions will assist organisations to identify and manage privacy and data protection risks, in light of the proposed reforms, which include increased penalties and additional powers for the Information Commissioner. There are, of course, many other operational privacy and data protection activities that can be used by organisations to manage their privacy and cybersecurity risk.
Corporate bodies that commit serious or repeated interferences with the privacy of an individual now face penalties that are the greater of:
The ‘breach turnover period’ will be at least the 12 months prior to the breach ceasing or proceedings in relation to the breach starting, and up to as long as the contravention was occurring.2 In addition, it would appear that activities that contravene the Privacy Act today, and continue after the change in penalty regime, will be assessed against two penalty regimes when it comes to calculating penalties.
In light of the new penalty regime, assessing an entity’s high-risk data processing will be a critical activity.
The Bill introduces new powers to obtain information or documents, where the Commissioner has reason to believe that a person or entity has information or documents relevant to an actual or suspected eligible data breach, or relating to an entity’s compliance with the requirements of the Notifiable Data Breach Scheme (NDB Scheme).3 As currently drafted, the scope of the power is broad and its availability is not aligned to the timelines provided as part of the NDB Scheme. This could result in the Commissioner exercising the new powers while an entity is still managing a suspected or actual data breach in real time. Notably, these powers will permit the Commissioner to obtain information or documents about actual or suspected data breaches that occurred, or may have occurred, before the date of enactment of the powers.
This will have a direct effect on how entities manage investigations into actual or suspected breaches and the timing of notifications to the Office of the Australian Information Commissioner (OAIC), as well as managing public relations and communications to customers. Organisations will have to weigh the risks of not reporting in the early stages of a breach, against the risk that the story will break and the Commissioner will exercise these powers due to a perceived lack of transparency.
A seemingly innocuous addition to the Commissioner’s assessment powers in section 33C is the ability for the Commissioner to assess an entity’s ability to comply with the NBD Scheme, including their processes and procedures to assess and notify eligible data breaches.4 These powers are retrospective in the sense they will apply to assessments started but not concluded before commencement (as well as to assessments that start after commencement). It is likely that the Commissioner will use these powers to undertake a backward looking review of an entity’s assessment, triage and escalation policies and processes for data breaches, and the documented reasons as to why notification was not made in respect of a breach. In the future, the existence of these powers will likely tip the decision whether to notify borderline incidents, in favour of notifying.
The Bill provides the Commissioner with the power to share information, obtained in the course of exercising powers or performing duties under the Privacy Act, with other regulatory bodies, including enforcement bodies and foreign government authorities whose functions include the protection of the privacy of individuals.5 Also retrospective in nature (as the power applies to information obtained by the Commissioner both before or after commencement), these powers are subject to the requirement that there are satisfactory information protections in place in the receiving body. The combination of the Commissioner’s broad investigation and information gathering powers, with the right to disclose information to other regulatory agencies both in Australia and overseas, will significantly increase the Commissioner’s role in managing international data breaches, as well as breaches subject to the jurisdictions of multiple regulatory agencies in Australia.
Further, the Bill will grant the Commissioner powers to disclose this information if the Commissioner is satisfied that it is in the public interest to do so, irrespective of whether the information was obtained by the Commissioner before the commencement of the amendments.6 The use of this power, especially where an organisation is still responding to a live incident, could have grave unintended consequences and will require careful and judicious use by the Commissioner. In particular, the list of mandatory matters the Commissioner must consider in determining whether disclosure is in the public interest ,does not expressly include whether such disclosure would prejudice or impede an investigation and response being undertaken by an entity suffering a breach.
Where the Commissioner determines an interference with privacy has occurred, the Commissioner may require the relevant organisation to prepare and publish a statement describing the relevant conduct and the steps taken to ensure the conduct does not occur again.7 Such public statements are increasingly seen as a powerful weapon in the enforcement toolkit, by creating the risk of longer term reputational harm for entities that infringe individuals’ privacy.
This is the first step in the reform of Australia’s privacy laws, and the increased penalties and new Commissioner powers are significant. While some amendments are likely as the Bill progresses through Parliament, it is likely that many of the proposed provisions will be retained All APP entities should immediately consider their data-based business operations and data protection program status in light of these proposals and assess what uplift or changes are required. You can start by asking questions about your privacy and data protection activities now.
Publication
Alberta is set to significantly change the privacy landscape for the public sector for the first time in 20 years.
Publication
On December 15, amendments to the Competition Act (Canada) (the Act) that were intended at least in part to target competitor property controls that restrict the use of commercial real estate – specifically exclusivity clauses and restrictive covenants – came into effect.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023