In brief
In another change to the continually evolving Australian privacy legislative landscape, proposed changes to the Privacy Act have been announced. The changes seek to increase the powers of the OAIC and substantially increase penalties for privacy breaches. Whether this is the first step away from the current educational approach to privacy compliance taken by the OAIC as opposed to the punitive approach taken by overseas regulators is yet to be seen. However, the importance of ensuring privacy compliance in light of the proposed increased penalties is paramount.
What you need to know
In another change to the continually evolving Australian privacy legislative landscape, proposed changes to the Privacy Act have been announced. The changes seek to increase the powers of the OAIC and substantially increase penalties for privacy breaches. Whether this is the first step away from the current educational approach to privacy compliance taken by the OAIC as opposed to the punitive approach taken by overseas regulators is yet to be seen. However, the importance of ensuring privacy compliance in light of the proposed increased penalties is paramount.
Will the OAIC use their increased powers?
If the new laws are passed, is the OAIC going to utilise their new powers when they haven’t previously?
The last few years have already seen major changes to the Australian privacy legislative landscape, with the implementation of the Australian Privacy Principles in 2014, the Notifiable Data Breach scheme in 2018, and other recent Government initiatives including the Consumer Data Right.
In making sense of the Australian privacy legislative landscape and the most recent proposed amendments to the Privacy Act, it is important to reflect on the comments made by ACCC Chairman Rod Sims in relation to privacy issues that: ‘data is not unique to Google and Facebook’.
Those comments are significant because, up to this point, they reflect the OAIC’s approach to privacy compliance, which has primarily focused on educating all potentially-affected organisations, rather than penalising, and making an example of, a select few behemoths with large pockets.
If the OAIC was to now up the ante, it would follow the approach by regulators in the EU, who have used their broad powers under the General Data Protection Regulation (GDPR) to penalise large technology companies, notably including a massive 50 million euro fine issued to Google in January 2019.
What you need to do
Regardless or not whether the OAIC utilises their increased powers to their fullest extent, affected organisations must remain alert when it comes to legislative privacy compliance. We recommend affected organisations.