The government says it will legislate increase the penalties that can be levied under the Privacy Act to 10 per cent of a company’s turnover, $10 million, or three times the value of a benefit obtained through the misuse of information, whichever is greater, up from a current cap of $2.1 million for serious or repeated breaches.
The government also announced today it would also increase the powers of the Office of the Australian Information Commissioner (OAIC) to impose penalties of up to $63,000 for bodies corporate and $12,600 for individuals for failure to cooperate with efforts to resolve minor privacy breaches.
“Existing protections and penalties for misuse of Australians’ personal information under the Privacy Act fall short of community expectations, particularly as a result of the explosion in major social media and online platforms that trade in personal information over the past decade,” Attorney-General Christian Porter said in a statement.
Other changes detailed today by the government include expanding the options open to the OAIC, including allowing the privacy watchdog to issue directions requiring a third-party review of a breach or the publishing of public notices.
“This penalty and enforcement regime will be backed by legislative amendments which will result in a code for social media and online platforms which trade in personal information. The code will require these companies to be more transparent about any data sharing and requiring more specific consent of users when they collect, use and disclose personal information,” Porter said.
“We will also be requiring platforms to implement a mechanism to ensure they can take all reasonable action to stop using an individual’s personal information if a user requests them to do so and have even stronger regimes to address these issues when the user is a child or other vulnerable person.”
Legislation to implement the new measures will be drafted for consultation in the second half of the year.
The government said it would boost the OAIC’s budget by $25 million over three years.
The government’s move comes as it prepares to legislate the new Consumer Data Rightv, which will allow individuals to direct an entity that holds relevant information on them to hand it over to an accredited third party.
Initially the CDR will involve the implementation of an open banking regime, with the energy and telco sectors also to be among the first sectors to be covered by the new rules. The OAIC will help oversee the privacy aspects of the CDR, while the Australian Competition and Consumer Commission will devise rules implementing the new right for different industries.