The Privacy Review & the NDB Report

The attorney general calls for more substantial but easier-to-follow compliance with privacy regulations. 

In mid-February, the long-awaited review of the privacy legislation made  116 proposals on how they can strengthen privacy legislation in Australia. 

The Office of the Australian Information and Privacy Commission (OAIC) commissioner Angelene Faulk supports the proposal for ‘fair and reasonable’ protections for personal information as the new keystone for privacy legislation and regulation. 

Faulk said in an official statement, “This shifts the burden from individuals, who are currently required to safeguard their privacy by navigating complex privacy policies and consent requirements, and places more responsibility on the organisations who collect and use personal information to ensure that their practices are fair and reasonable in the first place.”

The attorney general proposes that the notifiable data breaches scheme should be stringer and streamlined to make it easier for corporations to meet their compliance obligations. 

• equip the Regulator with more options to enforce privacy breaches
• enhance the Regulator’s ability to proactively identify and address privacy breaches
• provide the Courts with enhanced powers to make orders against entities that have breached their privacy obligations
• provide new pathways for individuals to seek redress in the Courts for privacy breaches, including through a new tort for serious invasions of privacy
• improve how entities respond when a serious data breach occurs and simplify reporting processes for entities
• reduce regulatory complexity by working with states and territories to harmonise key aspects of privacy laws

 
This week the OAIC published the Notifiable Data Breach report from July to December 2022. 
The report showed a 26 per cent increase in breach notifications. Health service providers are the most reported-on industry, closely followed by the finance industry.
. 
Seventy per cent of all breaches are malicious or criminal attacks, and 71 per cent of all incidents were reported within the requisite 30 days. 
 
The review and NDB report came just a little over a month after the privacy legislation amendment at the end of last year. 

Faulk noted that the reforms follow the passing of the Privacy  Legislation Amendment (Enforcement and Other Measures)  Bill 2022, which increased penalties for infringements of the privacy act with strengthened.
 
Penalties from the 2022 amendment. 

•  $50,000,000;
•  if the court can determine the value of the benefit that the body corporate, and any related body corporate, have  obtained directly or indirectly and that is reasonably attributable to the conduct constituting the contravention—3 times the value of that benefit;
•  if the court cannot determine the value of that benefit—30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention.

 
December also saw the privacy regulator officially investigate Medibank for significant breaches in 2022. 
 
OAIC commissioner said in an official statement, “It also contains other important proposals, such as enabling individuals to exercise new privacy rights and take direct action in the courts if their privacy is breached, and the removal of some exemptions from the Privacy Act. These proposals reflect the baseline privacy rights expected by our community.”