Express law No. 310

29 November 2022

Amendments to Privacy Act to increase penalties for privacy breaches, enhance powers of OAIC

Recent amendments to the Privacy Act 1988 (Cth) (the Privacy Act) through the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Bill) will increase penalties for serious or repeated privacy breaches.

The Bill has passed federal Parliament and the higher penalties and other amendments will commence the day after the Bill receives Royal Assent.

While the amendments to introduce higher penalties do not change existing obligations under the Australian Privacy Principles, agencies should prepare for these changes by reviewing their level of data security and current data collection and retention processes.

A number of high profile data breaches and cyber attacks in recent months have highlighted the importance for entities to have appropriate privacy and cyber settings in place for the management and protection of personal data.

On 26 October 2022, the Government introduced the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, which aims to address the most pressing issues arising from the recent data breaches. The Bill will increase the penalties associated with serious breaches of the Privacy Act and provide the Office of the Australian Information Commissioner (OAIC) with enhanced enforcement and information gathering and sharing powers.

On 22 November, the Senate Legal and Constitutional Affairs Legislation Committee published its report recommending that the Bill be passed subject to some limited recommendations regarding the Attorney-General’s Department review of the Privacy Act considering whether the terms ‘serious’ and ‘repeated’ interference with privacy could be clarified, and examining the appropriateness of the ‘Australian link’ provision in section 5B. 

Key changes include:

  • Significant increases in the maximum penalties under the Act for serious or repeated privacy breaches from the current $2.22 million for bodies corporate to whichever is the greater of:
    • $50 million
    • three times the value of any benefit obtained through the misuse of information
    • if the value of the benefit cannot be determined, 30 per cent of the body corporate’s adjusted turnover in the relevant period.
  • For a person other than a body corporate, the penalty will increase from $440,000 to a cap of $2.5 million. The penalty applicable to an entity will depend on its organisational structure.
  • The OAIC will also acquire greater powers to resolve privacy breaches and quickly share information (including about data breaches) to help protect individuals, including with enforcement bodies (domestic and international), alternative complaint bodies and state and territory authorities. It will also be able to share information publicly if it is in the public interest to do so.
  • The Notifiable Data Breaches scheme will be strengthened to ensure the Information Commissioner has comprehensive knowledge of the information compromised in a breach to assess the particular risk of harm to individuals.
  • The Bill would provide the Information Commissioner and the Australian Communications and Media Authority (ACMA) with greater information-sharing powers to ensure regulators are able to work together and take prompt action to help protect the privacy of individuals.

The Government has indicated this presents the first step in reforms to the Privacy Act noting   a comprehensive review of the Privacy Act by the Attorney-General’s Department will be provided to the Attorney-General, which will recommend further reform proposals to ensure Australia’s privacy framework is fit for purpose, and responds to new challenges in the digital era.  


Arduca, Elena

Senior Executive Lawyer

Information law