Key Senate amendments to the Privacy Act enforcement reforms

We are still awaiting an “as passed” version of the Privacy and Other Legislation Amendment Bill (Bill) which passed on Friday 29 November 2024 to determine the full extent and impact of the Senate’s amendments to the Bill.

However, in the meantime and most relevant to our fifth deeper dive article released last week, available here, we thought it important to update you on what the Senate’s key passed amendments do to the new civil penalty and infringement notice regimes introduced by the Bill.

In summary and most relevantly in respect of the new civil penalty and infringement notice regime, the Senate’s relevant amendments (which passed as part of the Bill) confirm, amend and/or introduce the following:

• The existing civil penalty for a serious interference with an individual’s privacy (the Bill removes ‘or repeated interferences’ aspect) will still attract a fine up to the greater of $50 million and 30% of revenue during the longer of 12 months and the period of the relevant serious interference, noting this could go back to mid‑December 2022 when the revised penalty was introduced.
   
• A new mid‑tier civil penalty of up to $3.3 million for incorporated organisations for interferences with the privacy of an individual is introduced.  While an interference with the privacy of an individual (i.e. breaches of the APPs that relate to the personal information of a individual) must be established, this will not require the same the level of ‘seriousness’ as the existing (and now top‑tier) serious interference with privacy civil penalty.  As a result, the expectation is that it will be significantly easier for the Privacy Commissioner to convince the Court to impose this civil penalty on infringing organisations.
   
• A new low‑tier civil penalty of up to $330,000 for incorporated organisations for breaches of the named ‘contraventions’ in the new ss 13K(1) and (2) Privacy Act is introduced.  These are very specific and, while seemingly basic obligations, are fundamental requirements under the Privacy Act/APPs (e.g. having a clearly expressed and up‑to‑date privacy policy as per APP 1.3).  We expect that obtaining a Court order imposing this civil penalty will be a relatively straightforward exercise given both the black and white nature of the stated contraventions and the relevant ease of establishing that they occurred (e.g. the organisation either has an APP 1.3 compliant privacy policy or it doesn’t).
   
• As an alternative to seeking a civil penalty be imposed by the Court, the Privacy Commissioner can now issue an infringement notice with respect to one or more of the specific contraventions noted in s 13K(1) and (2) Privacy Act for an amount of $19,800 for incorporated organisations and $66,000 for listed companies for each contravention.
   
• If the organisation/company does not wish to pay the amounts noted in the infringement notice (or otherwise wishes to challenge it), the organisation must commence proceedings in the Court.  
   
• In addition to the civil penalty and infringement notice regimes noted above, there is now also a “compliance notice” mechanism (introduced with the Senate amendments).  This allows the Privacy Commissioner (and key OAIC staff), in their discretion and instead of seeking a civil penalty order or issuing an infringement notice, to issue a compliance notice.  The compliance notice is not mandatory or a required step before seeking a civil penalty order or issuing an infringement notice but, instead, is a further tool that can be used by the Privacy Commissioner to uplift privacy compliance.
   
• The compliance notice must specify what the relevant breach (e.g. contravention or interference with an individual’s privacy) is and detail the action that must be taken (or refrained from being taken) and/or the steps that must be taken within the time specified in the notice to address the contravention or breach to ensure that the conduct constituting the breach or contravention is not repeated or continued.
   
• The issuing of a compliance notice halts (and, if the organisation complies with the compliance notice, stops permanently) the Privacy Commissioner from seeking a civil penalty order or issuing an infringement notice in relation to that specific conduct/breach/interference with privacy, while that notice is ‘on foot’ (or where it has been satisfied).
   
• Failure to comply with a compliance notice (or to successfully challenge it in Court) itself gives rise to a contravention subject to the low‑tier civil penalty of up to $330,000, above and beyond any civil penalty applying to the conduct referred to in the notice.  Obtaining an order to impose the civil penalty for not complying with the compliance notice should be relatively straightforward on the facts:  was the compliance notice issued and, if so, was it complied with?

Once the amended Privacy Act is published (including all of the amendments from the Bill) we will circle back and notify you if there are any changes to the above.

As previously noted, these amendments/new provisions (and most of the Bill) will become effective a day after Royal Assent, which we expect will be in the next 1 to 2 weeks.  That is, for most of the changes/new provisions introduced in the Bill, there is no transition period.  The main exception to this is the automated decision making information requirement which has a 24 month transition period.

Please do not hesitate to reach out to us to discuss how these civil penalty, infringement notice and compliance notice regimes (or any of the changes in the Bill) will impact your organisation and how best you can minimise the risks arising from them.