Key Privacy Reforms – A three tiered civil penalty regime overhaul with significant bite

In this the fifth and final of our deeper dives into the key areas of the reforms to the Privacy Act in the Privacy and Other Legislation Amendment Bill 2024 (Cth) (Bill), we examine for organisations the three (3) tier civil penalty regime.

In this the fifth and final of our deeper dives into the key areas of the reforms to the Privacy Act in the Privacy and Other Legislation Amendment Bill 2024 (Cth) (Bill), we examine for organisations the three (3) tier civil penalty regime and, in particular, the new (a) mid‑tier and (b) administrative style ‘infringement notice’ civil penalties, which are both likely to have a significant impact on the current enforcement regime for privacy contraventions.  

For our previous articles in this series, our:

• general overview of the key aspects of the Bill can be found here;
• first deeper dive on the statutory right of action for serious invasions of privacy can be found here [link];
• second deeper dive on automatic decision making and offshore disclosures can be found here [link];
• third deeper dive on the increased security requirements, the new APP 11.3 and TOMs can be found here [link]; and
• fourth deeper dive on what constitutes a ‘serious interferences with privacy’ and the new orders available to the Court can be found here [link].

What is it?

The three-tiered civil penalty regime introduced in the Bill, once passed as currently drafted, (a) introduces two new categories of civil penalties to give the OAIC/Privacy Commissioner (PC) a broader range of enforcement options and (b) needs to be understood in the overarching context of the objects of the Privacy Act (as revised in the Bill), which objects will be considered by the Court when imposing or upholding (in the case of a challenge to an infringement notice) these civil penalties.  In the Explanatory Memorandum these changes (the new mid and low‑tier penalties and changes to the objects) are described as giving the PC a range of enforcement options and civil penalties commensurate with the seriousness of the organisation’s interference with privacy and to fill a gap in the current enforcement options, including the ability for the PC to “issue infringement notices for civil penalties for relatively minor contraventions of the Privacy Act”.

As a reminder, since mid‑December 2022 the increased current (soon to be ‘high‑tier’) civil penalty for serious interferences with privacy (the “or repeated” inferences being removed in the Bill) is up to the greater of:

• $50 million;

• three times the value of the benefit obtained during the contravention; and
• 30% of “adjusted turnover” (i.e. effectively revenue) during the greater of the period of contravention and 12 months.

The revised objects

The Bill promotes the right to privacy of individuals by amending the objects of the Privacy Act to expressly include the object (i.e. intention) of the Privacy Act to promote the protection of all individuals’ personal information and to recognise the public interest in protecting the privacy of individuals under the Privacy Act.  This revised object emphasises the public benefit of strong privacy protections under (and thus of the strong enforcement of) the Privacy Act. 

The mid‑tier civil penalty

The Bill, if passed as currently drafted, introduces a new “mid‑tier” civil penalty for any (other than serious) interferences with the privacy of an individual.  The amount of this mid‑tier civil penalty, for organisations, is up to $3.3 million.  The PC must apply to the Court to impose this mid‑tier penalty (like for the current high‑tier penalty).  In any relevant proceedings the Court may decide to impose the mid‑tier penalty, even if the PC is seeking the imposition of a high‑tier civil penalty.  Likewise, if the PC applies for a mid‑tier civil penalty, it is open to the Court to consider if a high‑tier penalty is more appropriate.

The ‘contraventions’ which are interferences with the privacy of an individual and therefore subject to this mid‑tier civil penalty (or high‑tier penalty, if serious) include, any:

1. breach of an APP or a binding registered APP Code in relation to personal information;
2. breach of the Tax File Number Rules in relation to tax file number information that relates to an individual;
3. unauthorised request for a TFN (i.e. tax file number information) of an individual; or
4. breach of any of the assessment of an eligible data breach, preparation of a statement or notification obligations as regards an eligible data breach under the Notifiable Data Breach Scheme in the Privacy Act.

The ‘infringement notice’ civil penalty

The Bill also introduces, if passed as currently drafted, a low tier ‘infringement notice’ civil penalty for contraventions of specified ‘minor’ privacy obligations and for non‑compliance with certain specified eligible data breach notice provisions.  The PC is entitled to issue these infringement notices directly to the organisation for a civil penalty of up to $330,000 for each relevant contravention. That is, if the infringement notice relates to multiple relevant contraventions then the up to $330,000 civil penalty can be levied by the PC for each and every one of those relevant contraventions.

The relevant contraventions which are within the scope of the infringement notice civil penalty (IN contraventions), and the APPs to which they relate, are:

1. failure to have a clearly expressed up‑to‑date APP privacy policy (APP 1.3);
2. failure to include the required information in an APP privacy policy (APP 1.4);
3. failure to provide individuals with the option to not identify themselves (APP 2.1);
4. failure to make a written record of a use or disclosure under APP 6.2(e) (APP 6.5);
5. failure to provide a simple means by which the individual may easily opt‑out of marketing communications (APPs 7.2(c) or 7.3(c));
6. failure to appropriately draw attention to an individual’s ability to opt‑out of marketing communications (APP 7.3(d);
7. failure to give effect to a request to opt‑out of marketing communications within a reasonable period (APP 7.7(a));
8. failure to notify the source of information on request within a reasonable period (APP 7.7(b));
1. failure to deal with a request for correction under APP 13.1 or associated statement under APP 13.4 within the specified timeframe (APP 13.5);
10. any breach of any other APP prescribed by regulation; or
11. failure to include all of the required information in an eligible data breach statement or notification.

How will this impact you?

These reforms do not simply clarify when the existing civil penalty applies, they introduce an entirely new, more flexible and proportionate enforcement/civil penalty regime.We expect that the PC will use both of these new ‘tiers’ of civil penalties, especially the infringement notice mechanism, to drag the privacy compliance of organisations to a substantially higher level.

For organisations and their insurers, we expect that this will mean a significant uptick in regulatory investigations and enforcement action – those where penalty enforcement proceedings were previously disproportionate. The new powers are likely to significantly change how the PC decides what to investigate and what regulatory action should be taken. 

Any uptick in regulatory action will also carry enhanced litigation risks, with plaintiff law firms and litigation funders likely to seek to capitalise on findings from regulatory investigations to identify organisations to target and which causes of action and compensatory machinery they should pursue.  

Mid‑tier civil penalty

The mid‑tier civil penalty allows the PC to seek a fine of up to $3.3 million be imposed by the Court for interferences with privacy (i.e. contraventions) which are not serious infringements.  This opens up a range of contraventions to a civil penalty which are not currently subject to a civil penalty, avoiding the current requirement of seriousness which has limited the application of the current (high‑tier) civil penalty to just one case, against Facebook/Meta, since its introduction in 2014.

We expect to see a significant focus of the PC on the mid‑tier (and ‘quick wins’ of the infringement notice) civil penalty rather than pursuing the high‑tier, especially given the lower threshold to establish an interference with privacy for the Court to impose the up to $3.3 million penalty.  In addition to any penalty imposed by the Court, organisations must also consider the incidental costs of defending such proceedings and the impacts the resulting ‘publicity’ will have on their reputation.

As discussed in deeper dive four, the new orders introduced by the Bill relate to all civil penalty proceedings and provide the Court with significant and flexible tools to ‘promote the rights of affected individuals’, even where a civil penalty (of any tier) is not imposed or upheld by the Court.  Also, organisations that have any contraventions/interferences with privacy (even if not serious) that occurred up to six years prior to the commencement of any related civil penalty proceedings by the PC (after the Bill is passed) face the possibility, if a contravention of a civil penalty provision is established, of affected individuals applying to the Court for a range of orders to be made by the Court, including compensation and/or remedial actions to be undertaken by the organisation. This is irrespective of whether any civil penalty is imposed or upheld.

The infringement notice penalty

The “low‑tier” infringement notice civil penalty for the breach of the most basic privacy obligations under the Privacy Law (i.e. the IN contraventions) will be a ‘game changer’ for privacy enforcement by the PC.  Without the need for the Court to approve them, the PC may issue an infringement notice with a fine of up to $330,000 for each IN contravention directly on the organisation.  If the organisation receiving the infringement notice does not wish to pay the specified civil penalty(ies) it may challenge the notice in Court. This has the effect of shifting the decision to litigate from the PC to the impacted organisation.

 Although in the case of any challenge:

(a) the IN contraventions are in ‘black and white’ terms and, factually, it seems that it will be clear whether or not the relevant ‘failure’ (i.e. IN contravention) occurred so unlikely the PC would get it wrong; and

(b) if these proceedings are commenced by the organisation then any affected individuals will be able to apply to the Court considering such a challenge for compensation or other remedial action orders where a breach of a civil penalty provision (i.e. an IN contravention) is established and even if the infringement notice was overturned.

What you can do to prepare

Given the expectation that the Bill will be passed and that these provisions will be immediately effective from mid‑2025 (i.e. there is no transition period after Royal Assent), there is no time to waste. 

In relation to the mid‑tier civil penalty, organisations must audit/reconsider their compliance with each of the APPs, the Tax File Number Rules and the relevant eligible data breach obligations together with, as noted in prior deeper dive articles, the organisational accountability obligation under APP 1.2. 

In relation to the infringement notice civil penalty, its even more straightforward.  Organisations must ensure that they have appropriate processes, policies and management/oversight in place to address (i.e. prevent from happening) each and every potential IN contravention. 

Given the stakes involved (e.g. penalties of up to $3.3 million for each interference with privacy contravention of an APP involving personal information and up to $330,000 for each and every IN contravention), we recommend that these reviews be undertaken by experienced external privacy lawyers (e.g. Clyde & Co).  The report(s) arising from these reviews must detail (a) where the organisation stands now, (b) what is needed to meet current requirements and the reforms in the Bill, to avoid being in contravention of any of the civil penalty provisions and (c) practical organisation specific ‘fixes’ and suggested uplift to address any ‘gaps’ arising from (a) and (b), as Clyde & Co do in our RAG review reports.

Our Digital Law, Cyber Advisory and Digital Disputes teams can assist you to quickly determine whether or not your organisation has appropriate privacy and security practices, procedures, systems and frameworks in place to minimise and manage the risks of a mid‑tier civil penalty being sought and imposed and to avoid, altogether, giving the PC any basis to issue an infringement notice to them for an IN contravention.  If not, we can advise on and assist you with the implementation of the necessary measures now in order to address, minimise and manage, if not eliminate, these risks. We can also review your contractual frameworks to manage regulatory risk across your supply chain and assist you develop engagement strategies to decide whether and when to challenge alleged IN contraventions and mitigate risks of a mid-tier civil penalty being considered by the PC. If regulatory action occurs, our team of experts are standing by to guide you through the process, while minimising all reputational and operational damage.

Clyde & Co’s Cyber, Privacy and Technology Team has unparalleled and specialised expertise across the privacy, cyber, financial services information regulatory and broader technology practice areas.  It also houses the largest dedicated market leading privacy and cyber incident response practice across Australia and New Zealand.  All of this ensures your “readiness, response and recovery” is in good hands.  We provide end‑to‑end privacy and cyber risk management solutions for clients including advice, strategy, transactions, innovations, cyber and privacy pre‑incident readiness, incident response and post‑incident remediation and recovery, regulatory investigations, dispute resolution, recovery of damages and third-party claims.  We offer market leading practical solutions, focussed pragmatic assistance and implementable advice.