International Association of Privacy Professionals Australia and New Zealand Summit 2022
I acknowledge the Traditional Custodians of the lands on which we meet, and pay respect to their Elders past and present.
I extend my respect to all Aboriginal and Torres Strait Islander peoples present today.
Thank you for the invitation to speak today at the International Association of Privacy Professionals Australia and New Zealand Summit 2022. It is a privilege to provide you with the Government’s intentions on prioritising and reforming Australia’s privacy laws.
It is a busy time for privacy professionals. As we have seen in recent weeks with Optus, Medibank and other cyberattacks, data breaches have the potential to cause serious financial and emotional harm to Australians, and this is unacceptable.
The novel privacy challenges posed by the rise of digital platforms and the unprecedented volume and variety of data that these platforms collect from users underscores the importance of reforming our privacy laws.
Australia’s privacy laws need to better regulate how companies manage the huge amount of data they collect. Governments, businesses and other organisations have an obligation to protect Australians’ personal data, not to treat it as a commercial asset.
That is why on 26 October, I introduced the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, which will significantly increase penalties for repeated or serious privacy breaches. The Bill has now passed the House of Representatives and has also been referred to the Senate Legal and Constitutional Affairs Legislation Committee for inquiry and report. The Government will engage positively with the Committee inquiry’s recommendations.
Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022
This Bill provides Australians with confidence that their data will be protected in four ways.
First, the Bill would significantly increase maximum penalties under the Privacy Act for serious or repeated privacy breaches to incentivise businesses to take strong privacy and cybersecurity measures to protect the personal data they hold.
Specifically, the Bill would increase the maximum penalties for serious or repeated privacy breaches from the current $2.22 million to whichever is the greater of:
- $50 million;
- three times the value of any benefit obtained through the misuse of information; or
- if the value of the benefit cannot be determined, 30 per cent of a company’s adjusted turnover in the relevant period.
Second, the Bill would provide the Australian Information Commissioner with greater powers to resolve privacy breaches and quickly share information about data breaches to help protect customers.
Third, the Notifiable Data Breaches scheme would be strengthened to ensure the Information Commissioner has comprehensive knowledge of the information compromised in a breach to assess the particular risk of harm to individuals.
Fourth, the Bill would provide the Information Commissioner and the Australian Communications and Media Authority with greater information-sharing powers to ensure regulators are able to work together and take prompt action to minimise harm to Australians.
The Bill responds to the most pressing issues arising from recent data breaches and other cyber incidents.
This Bill precedes a comprehensive review of the Privacy Act by the Attorney-General’s Department that will provide a final report to the Government this year.
The Privacy Act Review
The Government is committed to ensuring a strong regulatory framework to protect people’s right to privacy and ensuring the security of their personal information.
The Privacy Act Review will put forward proposals for reform of the Privacy Act to ensure it is fit for purpose in the digital age.
The Privacy Act needs to enhance the protections provided to individuals and provide businesses with clarity about the types of information covered by the Act and how to protect this information.
Feedback provided to the Review has revealed that people often do not understand the risks of complicated information handling practices and do not feel they have control over their personal information.
Personal information is being used in ways that are harmful and invasive. This does not meet community expectations.
Particular concerns have been raised about online behavioural advertising directed at children, profiling of individuals to reveal their vulnerabilities, the large-scale sale of personal information and the use of facial recognition technology.
Individuals need a privacy regime that protects them from having their personal information used in ways that could harm or manipulate them.
On the other side of the equation, businesses would benefit from a privacy regime that allows them to take advantage of the economic opportunities presented by emerging technologies.
The protection of personal information also requires effective enforcement of breaches of privacy, and that is why the Privacy Act Review is examining how the Office of the Australian Information Commissioner can best function in its role as Australia’s privacy regulator.
While delivering the Final Report on the Privacy Act Review will be a significant milestone, implementation will be an equally important undertaking. I have said before that it is my intention to progress much needed reforms to privacy laws in this term of Parliament. The Government looks forward to working further with interested stakeholders, including privacy experts and professionals, in delivering these reforms.