December 8, 2022
A senate committee has recommended passage of law changes that would substantially increase the penalties for large or repeated privacy breaches, with only minor revisions to the draft legislation. The committee’s report [pdf] asks that the government define the bill’s terms “serious" and "repeated" privact interference; and that the Attorney General’s department add one provision in…

A senate committee has recommended passage of law changes that would substantially increase the penalties for large or repeated privacy breaches, with only minor revisions to the draft legislation.

The committee’s report [pdf] asks that the government define the bill’s terms “serious” and “repeated” privact interference; and that the Attorney General’s department add one provision in the bill to its ongoing review of the Privacy Act.

The committee’s report means that the most contentious provisions in the bill, the penalties it imposes, are likely to pass into law.

These penalties could be up to $50 million, or three times the value of the benefit obtained by a privacy breach, or 30 percent of the company’s turnover during the breach period.

The proposed fines were strongly resisted by banks and other organisations, particularly the latter two provisions.

There was considerable confusion in industry on the circumstances in which the 30 percent of turnover penalty might be applicable.

As part of the senate inquiry [pdf], the Attorney General’s department clarified how the variable penalties would be applied.

The three-times value and turnover penalties “are only available to be considered in the calculation of the maximum penalty where the entity has obtained a benefit from a serious or repeated interference with privacy,” the department wrote.

“If there is no benefit derived from the privacy breach, the maximum penalty that a court could apply is $50 million for a body corporate (compared to the current maximum penalty under section 13G of the Privacy Act 1988 of $2.22 million).”

It added: “An example of a benefit obtained from a serious or repeated interference with privacy could be where an entity that is a body corporate collects personal information without the consent of the individuals, in circumstances when consent was required.”

If the organisation sold the illegally-collected data to a third party, it would be possible for a court to discover the price it was paid, and if that were greater than $50 million, it would be able to levy a larger fine.

As for the 30 percent of turnover provision, the department said, that would apply if a court determined, for example, that improperly collected data were used to gain a competitive advantage, and the benefit could be quantified by the court.

The changes have already passed the lower house of parliament.

Source