Skip to main content

Article

Privacy law reforms: Incentivising better data protection protocols

Senior company leaders must focus on all aspects of data protection and ensure that robust strategies are in place to insulate and safeguard confidential data.
People meeting over coffee

Now more than ever to ensure customer data is protected and avoid harsh penalties, senior company leaders need to have a deeper understanding of their company's cyber risk exposure, so as to actively guide and monitor the data protection strategies across their entire organisation, including in the instances where data crosses over to third parties.

The Australian Government has been vocal about its desire to address the growing threats brought by cyber criminals. Australia’s Cyber Security Strategy 2020 outlined how the government plans to create a more secure online environment for Australian citizens and their businesses.

Recent significant privacy breaches in Australia, which impacted the personal information and data of millions of Australians, bring the issue of cyber security and data protection back into the spotlight.

These breaches have highlighted the inadequacy of current legislated practices and safeguards in relation to data storage and protection. As a result, the Federal Government has fast tracked substantial changes to existing Australian Privacy legislation. It is seeking to  “regulate how companies manage the huge amount of data they collect and apply much harsher penalties so as to incentivise better behaviour”.

In recent days, the Attorney-General has introduced legislation to significantly increase penalties for repeated and serious breaches of the Privacy Act 1988 (Cth)("Privacy Act").

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, recently passed by both the House of Representatives and the Senate, significantly increases the regulation of all organisations who fall within the constricts of the Privacy Act.

The amendments

The amendments impose tougher penalties for serious and repeated breaches of the Privacy Act (Australian Privacy Principles) and provide enhanced powers of investigation and enforcement for the Office of the Australian Information Commissioner (OAIC).

The legislation contains a number of key amendments:

1. Harsher penalties

The most significant and newsworthy change is the dramatic increase in the penalties that will be imposed for repeated and serious breaches of the Privacy Act.  Previously these penalties were for a maximum of AUD $2.2 million.

The new penalties will be the greater of:

*AUD $50m, or

* 3 x the value of any benefit obtained (directly or indirectly by related entities) from and attributable to the breach, or

*if the court is unable to determine the value of the benefit, 30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention. .

2. Enhanced powers to request information

The OAIC has increased powers to request information and conduct compliance assessments of the notifiable data breach regime. These powers allow the OAIC to ask for information, documents and answers to questions from not only the relevant entity who has suffered the data breach, but also from other organisations and entities who might have (in the opinion of the OAIC) relevant information.  

The repeated failure to provide this information or to answer questions from the OAIC can also attract significant penalties.

3. Increased information sharing powers

The bill expands the Australian Communications and Media Authority’s information sharing powers and the OAIC’s ability to share information obtained from its investigations and determinations of complaints with other Australian and foreign privacy regulators and complaints bodies.

4. Extraterritorial scope

The requirements under the Privacy Act extend to foreign entities and organisations that carry on business in Australia irrespective of whether or not they actually collect the personal information directly from individuals in Australia or hold the Information here.

5. Greater enforcement powers

A wider scope of enforcement powers has been granted to the OAIC to require organisations to conduct external reviews into their internal procedures and to publish details of those determination and/or provide notices about specific privacy breaches to affected individuals.

6. New powers to make determinations following the Investigation of complaints

The OAIC can order the entity to engage an independent advisor to review the acts and practices of the organisation and the proposed remediation of the complaint. It also proposes that the OIAC can require to prepare  an approved statement describing the conduct the organisation engaged in and either distribute this statement to the complainants or publish the statement.

What does this mean for Australian organisations?

The fast tracking of this bill sends a very clear message that the Australian government is taking data and privacy breaches very seriously. The new penalties imposed for serious and repeated data breaches far exceed the previous penalties and are amongst the harshest in the world.

In addition, the amendments provide new wide reaching powers of information gathering and investigation to the OAIC, and the sharing of the information and outcomes from those investigations with other privacy regulators and complaints bodies globally.

Boards and senior executives must now not only understand their key cyber exposures and implement enterprise wide cyber risk management, but must focus on all aspects of data protection and ensure that robust strategies are in place to insulate and safeguard confidential data entrusted to them by customers, employees and third parties. Organisations should conduct a comprehensive review of the data stored within an organisation, the business or commercial need for the retention of that data, the manner in which it is held and how it is used and cleansed.

An insurance policy should not act as the primary solution for managing a company’s exposure to cyber attacks or data breaches, however, mitigating risk through insurance plays an important role in the overall risk management protocols of a business. Purchasing standalone cyber insurance remains an important risk transfer mechanism in addressing growing cyber threats. It is a policy that is designed to respond in the event of a data breach event, providing important financial, operational and reputational protection to an organisation.

Marsh offering

As your trusted advisor and partner in cyber risk management and enterprise risk assessment, Marsh can work with you to determine your current cyber risk posture and implement improved protocols and procedures to enhance insurability, loss mitigation and cyber resilience. These reviews will extend beyond your technical risk management procedures to include the enterprise wide review of cyber resilience, data protection and incident preparedness.

This publication is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Any statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors. Marsh makes no representation or warranty concerning the application of policy wordings or the financial condition or solvency of insurers or re-insurers. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage. LCPA 22/530.

Marsh Pty Ltd (ABN 86 004 651 512, AFSL 238983) (“Marsh”) arrange this insurance and is not the insurer. The Discretionary Trust Arrangement is issued by the Trustee, JLT Group Services Pty Ltd (ABN 26 004 485 214, AFSL 417964) (“JGS”). JGS is part of the Marsh group of companies. Any advice in relation to the Discretionary Trust Arrangement is provided by JLT Risk Solutions Pty Ltd (ABN 69 009 098 864, AFSL 226827) which is a related entity of Marsh. The cover provided by the Discretionary Trust Arrangement is subject to the Trustee’s discretion and/or the relevant policy terms, conditions and exclusions. This website contains general information, does not take into account your individual objectives, financial situation or needs and may not suit your personal circumstances. For full details of the terms, conditions and limitations of the covers and before making any decision about whether to acquire a product, refer to the specific policy wordings and/or Product Disclosure Statements available from JLT Risk Solutions on request. Full information can be found in the JLT Risk Solutions Financial Services Guide.”