Australia: Increased privacy penalties and binding social media code tabled

On 25 September 2021, the Australian Commonwealth Government published a consultation draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (Online Privacy Bill) which, if passed, will introduce the following significant changes into the Privacy Act 1988 (Cth) (Privacy Act):

  • an increase in the maximum penalties payable for serious or repeated privacy breaches; and
  • a framework for a binding online privacy code for social media and certain other online platforms.

Background

In December 2019, in response to the final report of the Australian Competition and Consumer Authority’s (ACCC) Digital Platforms’ Inquiry, the Commonwealth Government made commitments to introduce certain changes to the Privacy Act, as well as to carry out a broader review and reform of the regime (scheduled in 2020-2021).

The Online Privacy Bill represents the first of the proposed legislative changes. The consultation (which closes on 6 December 2021) is being conducted in parallel with the broader Privacy Act review, for which submissions are being accepted until 10 January 2022.

Increased penalties

The maximum penalty payable by corporations for a serious or repeated interference with the privacy of an individual will increase from the current AUD 2.22 million to the greater of:

  • AUD 10,000,000;
  • three times the value of the benefit obtained by the body corporate from the conduct constituting the serious or repeated interference with privacy; or
  • if the value cannot be determined, 10% of their domestic annual turnover. The Online Privacy Bill sets out how to calculate turnover for the purposes of this provision.

This aligns the penalties under the Privacy Act with those payable under the Australian Consumer Law (ACL), which is overseen by the ACCC.  In addition to the Digital Platforms’ Inquiry, the ACCC is becoming increasingly active in the privacy space.  Earlier this year, it successfully brought proceedings against Google for misleading conduct (which is a breach of the ACL), in respect of the way that Google collected location data from users of certain Android devices.

Online privacy code

Whilst the draft code itself has not yet been published, the Online Privacy Bill creates a framework for a binding code that will apply to organisations:

  • providing social media or data brokerage services; or
  • collecting personal information via an online platform with more than 2,500,000 end users in Australia (excluding customer loyalty schemes).

One significant change tabled for the code is it will enable individuals to request that an organisation ceases to use and disclose their personal information, which expands the rights to request access to, or correction of, personal information currently available under the Privacy Act.

These changes should also be considered in light of the Office of the Australian Information Commissioner’s ongoing proceedings against Facebook, in respect of the Cambridge Analytica scandal.