One of the primary risk management issues currently being faced by many of our clients is cyber security particularly in respect of personally identifiable information (PII) and privacy. The legislative landscape around PII and privacy has been subject to rapid and significant reform in recent years. The last update to privacy legislation in 2022 significantly increased penalties for repeated or serious breaches of privacy legislation by companies.

The Enforcement Act (2022)

The most significant reform from the 2022 update was to the Enforcement Act and increased the maximum penalties applicable for serious or repeated breaches to the following:

Whichever is the greater of:

• AU$50 million;
• If the court can determine the value of the benefit that the body corporate, and any related body corporate, have obtained directly or indirectly and that is reasonably attributable to the conduct constituting the contravention—three times the value of that benefit; and
• If the court cannot determine the value of that benefit—30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention.

Proposed Privacy Act Reform (2024/5)

The proposed Privacy Act reform currently passing through Federal parliament will likely be passed later this year and enacted early 2025. This reform represents the most significant Privacy Act reform since the Act was passed in 1988. Some of the proposed reforms are outlined below.

• Broadening the scope of personal information likely include technical (e.g. IP addresses) and inferred information.
• Enhanced privacy protections for such employees can be implemented within the Privacy Act.
• Introduction of a new ‘fair and reasonable in the circumstances test’ to the collection, use and disclosure of personal information.
• Requirement that organisations determine and record the primary and secondary purposes for collecting, using and disclosing personal information.
• A new direct right of action for individuals. Individuals (including a group) who have suffered loss or damage as a result of an interference of privacy would be allowed to directly claim against entities holding their information. This opens up potential class actions by groups who have had their privacy breached against the company that held their information.
• Requirement to establish, disclose and periodically review retention periods for personal information.
• 72-hour notification requirement in the event of an eligible data breach
• Introduce a new ‘mid-tier penalties’ for interferences with privacy that are not otherwise serious, and a ‘low level’ penalties for specific administrative breaches.

Cyber & Privacy Outlook update

For a comprehensive review of current and upcoming legislation in the areas of Cyber and Privacy, we refer to the Albrecht Burrows 2024 Cyber and Privacy Outlook update for 2024. For Directors & Officers of an organisation, the most pertinent sections of the update are the “The Privacy Act”, “Director’s Duties and Cybersecurity” and “Third Party Liability for cyber and privacy”.

Tailored Assessment

If you are interested in understanding more about the risks associated with the handling of personal information and what these changes mean for your business, please contact our office on (02) 9587 3500 and we can help put you in a position which is informed and prepared for these upcoming changes.