House of Representatives

Explanatory Memorandum

(Circulated by authority of the Attorney-General, the Hon Mark Dreyfus KC MP)

Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022

1. This Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview of the Bill

2. The Bill contains a range of measures to enhance the protection of personal information, including amendments to:

a.

increase penalties under the Privacy Act 1988 (Privacy Act)

b.

strengthen the Australian Information Commissioner's (the Commissioner's) enforcement powers, and

c.

provide the Commissioner and Australian Communications and Media Authority (ACMA) with greater information sharing arrangements.

Human rights implications

3. This Bill engages the following rights:

a.

the right to privacy in Article 17 of the International Covenant on Civil and Political Rights (ICCPR), and

b.

the right to a fair trial under Article 14 of the ICCPR.

Increased penalties and enforcement powers

Right to protection against arbitrary or unlawful interference with privacy

4. The Bill promotes the right to privacy by strengthening the protection of the law against unlawful interferences with privacy. The Bill expands the mechanisms available to the Commissioner to enforce the protections provided under the Privacy Act for a wide range of situations in which an unlawful interference with privacy can occur.

5. The Bill strengthens the protection of the law against unlawful interferences with privacy by:

a.

Increasing the maximum civil penalty for serious or repeated interferences with privacy.

i.

This measure is privacy enhancing. To promote effective deterrence, it is essential for the Privacy Act to provide meaningful sanctions for any conduct interfering with an individual's privacy.

b.

Creating a new provision allowing the Commissioner to issue an infringement notice for a failure to give information, answer a question or produce a document or record when required to do so (with associated additional civil penalty provisions). A separate criminal penalty has been created if a body corporate engages in conduct which constitutes a system of conduct or pattern of behaviour.

i.

This measure is privacy enhancing. Providing the Commissioner new infringement notice powers to penalise entities for failing to provide information without the need to engage in protracted litigation will allow the Commissioner to resolve matters more efficiently.

c.

To complement the Commissioner's existing power to make a declaration in a determination that a respondent must take specified steps to ensure conduct constituting an interference with privacy is not repeated or continued, the Commissioner will be empowered to require the respondent to engage an independent and suitably qualified adviser to assist this process. Additionally, the Commissioner may require the respondent to prepare and/or publish a statement about the conduct that led to the interference with privacy.

i.

These measures are privacy enhancing. Engaging an adviser will assist entities ensure the non-compliance can be appropriately remediated, and preparing and publishing a statement about the conduct will provide Australians with greater visibility of emerging privacy issues and whether an entity who holds their personal information has breached the Privacy Act.

d.

Empowering the Commissioner to conduct an assessment of an entity's compliance with the Privacy Act's Notifiable Data Breaches (NDB) scheme, and providing the Commissioner with a new information gathering power for the purposes of conducting an assessment of any kind and assessing an actual or suspected eligible data breach.

i.

These measures are privacy enhancing. Being able to undertake an assessment of an entity's compliance with the NDB scheme will ensure entities are meeting the scheme's reporting and notification requirements, which provides individuals with transparency and assists them in taking steps to protect their privacy. Information gathering powers are necessary to provide the Commissioner with a comprehensive understanding of an entity's practices to understand the full extent of a breach or an emerging issue.

e.

Strengthening the NDB scheme to ensure the Commissioner has comprehensive knowledge of the information compromised in an eligible data breach to assess the particular risk of harm to individuals.

i.

This measure is privacy enhancing as it will ensure the Commissioner is able to assess the particular risk of harm to individuals, and whether the recommendations about the steps that individuals should take in response to the eligible data breach outlined in a notification are sufficient.

6. The Bill promotes the right to privacy by ensuring that the Commissioner's enforcement mechanisms and penalties are adequate to protect the privacy of Australians.

Right to a fair trial

7. Article 14 of the ICCPR guarantees a person be afforded, in the determination of any criminal charge against them, the right to a fair trial. The United Nations Human Rights Committee has indicated that the right to a fair trial under Article 14 may extend to acts that are 'criminal in nature with sanctions that, regardless of their qualification in domestic law, must be regarded as penal because of their purpose, character or severity' (see General Comment No, 32, para 15; Communication No. 1015/2001, Perterer v. Austria, at para 9.2). The substance of the civil penalties, criminal offences and fair hearing guarantees in the Bill are relevant to ICCPR Article 14. Schedule 1 of the Bill engages the right to a fair trial.

Section 13G - civil penalties

8. Under the prevailing law, the maximum civil penalty for serious or repeated interferences with privacy is 2,000 penalty units (section 13G of the Privacy Act) - which, on the current penalty unit value, is a maximum civil penalty of $2.22 million for bodies corporate and $444,000 for other entities regulated by the Privacy Act. These penalties fall short of community expectations, particularly if it is large multinational organisations being penalised, and given the potential financial and emotional harm of serious or repeated breaches.

9. The Bill will increase the maximum civil penalty to $2.5 million for a person other than a body corporate. For bodies corporate, the maximum penalty will increase to an amount not exceeding the greater of $50 million; three times the value of the benefit obtained by the body corporate from the conduct constituting the serious or repeated interference with privacy; or, if the value cannot be determined, 30% of their adjusted turnover in the relevant period.

10. These changes are consistent with the proposed maximum penalties under the Australian Consumer Law (ACL) in the Treasury Laws Amendment (More Competition, Better Prices) Bill 2022. The Australian Competition and Consumer Commission's Digital Platforms Inquiry July 2019 report recommended that the maximum penalties of the Privacy Act should be increased to mirror the penalties for breaches of the ACL as the lack of effective deterrence has enabled problematic data practices.

11. Further, the Privacy Act applies appropriate safeguards that exist in the Regulatory Powers (Standard Provisions) Act 2014 (Regulatory Powers Act) that protect the rights expressed in Article 14. Section 80U of the Privacy Act and Part 4 of the Regulatory Powers Act provide that in determining pecuniary penalties a court must take all relevant matters into account, including the circumstances of the contravention, the nature and extent of any loss or damage suffered because of the contravention and whether the entity has previously been found to have engaged in similar conduct. Where conduct contravenes more than one civil penalty provision, proceedings may be commenced in relation to each contravention; however, the entity (or person) cannot be liable for more than one penalty in relation to that conduct.

12. The maximum penalty for a body corporate is significantly higher than that imposed on a person other than a body corporate. This is necessary to sufficiently deter breaches of privacy, particularly for large digital platforms, and ensure that individuals are adequately protected. By strengthening penalties, Australia will be signalling its expectations that businesses undertake robust privacy and security practices.

13. For these reasons, the level of civil penalties which apply under section 13G are a reasonable and proportionate response to the behaviours the penalties are intended to deter and penalise.

Section 66 - civil and criminal penalties

14. Under the prevailing law, the criminal penalty for a person refusing or failing to give information, or answer a question or produce a document or record when required to do so under the Privacy Act, is imprisonment for 12 months or 20 penalty units or both for an individual, or 100 penalty units for bodies corporate (section 66 of the Privacy Act).

15. The Bill creates an infringement notice provision in subsection 66(1) to supplement a new civil penalty provision which will provide an alternative to potential litigation of a civil matter. In accordance with subsection 104(2) of the Regulatory Powers Act, the amount to be stated in the infringement notice will be 12 penalty units for a person, and 60 penalty units for bodies corporate - which, on the current penalty unit value, leads to a maximum penalty of $2,664 for a person and $13,320 for bodies corporate. The civil penalty for the infringement notice provision will be 60 penalty units for a person, and 300 penalty units for bodies corporate - which, on the current penalty unit value, leads to a maximum civil penalty of $13,320 for individuals and $66,600 for bodies corporate.

16. The Bill also creates a separate criminal offence in subsection 66(1AA) if a body corporate engages in conduct which constitutes a system of conduct or pattern of behaviour. This would enable the Office of the Australian Information Commissioner (OAIC) to refer matters to the Commonwealth Director of Public Prosecutions for more serious, systemic conduct. The maximum penalty will be 300 penalty units for bodies corporate - which, on the current penalty unit value, leads to a maximum civil penalty of $66,600 for bodies corporate.

17. These new provisions are subject to the safeguard in subsection 66(1B), which provides a person cannot be penalised if they have a reasonable excuse.

18. These changes would encourage compliance, and enable the OAIC to effectively resolve privacy complaints and investigations faster, as investigations can be delayed due to the failure of parties to respond to requests for information. The infringement notice provision will provide an alternative to litigation of a civil matter. An infringement notice could be used in instances where a regulatory response is justified, but where it is preferable to attempt to resolve the matter outside of court in the first instance.

19. As noted above, the Privacy Act applies appropriate safeguards that exist in the Regulatory Powers Act that protect the rights expressed in Article 14. This includes:

a.

The Bill designates the Commissioner and a senior member of the staff of the Commissioner as an infringement officer for the purposes of Part 5 of the Regulatory Powers Act. The infringement notice is subject to the safeguards provided in the Regulatory Powers Act, including that a notice must be issued within 12 months of when the contravention is alleged to have taken place and must outline the consequences of a failure to pay the amount payable under the notice.

b.

Part 4 of the Regulatory Powers Act provides procedures and protections to ensure that entities will not be subject to both criminal and civil penalties for the same conduct.

c.

The Privacy Act incorporates appropriate safeguards when determining the civil penalty to be imposed.

20. For these reasons, the level of civil and criminal penalties which apply under section 66 are a reasonable and proportionate response to the behaviours the penalties are intended to discourage.

Information sharing

Right to protection against arbitrary or unlawful interference with privacy

21. The Bill limits the right to privacy by expanding the Commissioner's capacity to share information, including personal information, with an enforcement body, alternative complaint body, and a State, Territory or foreign privacy regulator.

22. The Bill also limits the right to privacy by expanding ACMA's capacity to share information, including personal information, with any non-corporate Commonwealth entity responsible for enforcing a Commonwealth law where the information will enable or assist the entity to perform or exercise any of its functions or powers.

23. The Commissioner is generally bound by a secrecy provision in the Australian Information Commissioner Act 2010 which limits the Commissioner's discretion to share information. The existing provisions of the Privacy Act only provide a limited set of circumstances where the Commissioner can share information or documents with other authorities and other regulators. This significantly impacts the Commissioner's ability to cooperate with enforcement bodies and other regulators.

24. The Bill will facilitate better cooperation between the Commissioner and ACMA, and other enforcement and regulatory authorities and entities.

25. The Commissioner's information sharing power is subject to several limitations which ensure that it is reasonable, necessary and proportionate. These include that:

a.

the Commissioner can only share information for the purposes of the Commissioner's, or the receiving body's, exercise of powers or performance of functions and duties

b.

the information or documents must have been acquired by the Commissioner in the course of exercising powers, or performing functions or duties, under the Privacy Act

c.

the Commissioner must also be satisfied on reasonable grounds that the receiving authority has satisfactory arrangements for maintaining security of the information or documents

d.

where the Commissioner has obtained information or documents from an Australian Government agency, the Commissioner may only share those documents with an Australian Government agency, and

e.

further, if the information is shared with a receiving body under this section, the receiving body may use the information only for the purposes for which it was shared.

26. Existing protections in section 59D of the Australian Communications and Media Authority Act 2005 will apply to ACMA's new ability to share information, namely that the ACMA Chair must be satisfied that the information will enable or assist the entity to perform or exercise any of its functions or powers, and that the ACMA Chair may impose conditions to be complied with in relation to the authorised disclosure of information.

27. This limitation on the right to privacy is permissible as it is a reasonable, necessary and proportionate means of achieving a legitimate goal to improve cooperation between law enforcement and regulatory bodies, and is subject to safeguards.

28. The Bill also limits the right to privacy by empowering the Commissioner to disclose information acquired in the course of exercising powers, or performing functions and duties.

29. The disclosure power is subject to the Commissioner being satisfied on reasonable grounds that the disclosure is in the public interest, which ensures that it is reasonable, necessary and proportionate. To determine whether the disclosure is in the public interest specific regard must be given to:

a.

the rights, freedoms and legitimate interests of any person including the complainant or respondent

b.

whether the disclosure could prejudice an investigation which is underway

c.

whether the disclosure will or is likely to disclose the personal information of any person

d.

whether the disclosure will or is likely to disclose confidential commercial information, and

e.

whether the disclosure would be likely to prejudice enforcement related activities conducted by or on behalf of an enforcement body.

30. This limitation on the right to privacy is permissible as it is a reasonable, necessary and proportionate means of ensuring Australians are informed about instances where their privacy may have been compromised and are able to take measures to protect their personal information, and is subject to appropriate safeguards.

Conclusion

31. The Bill is compatible with human rights because it promotes the protection of human rights, particularly the right to privacy in Article 17 of the ICCPR. To the extent that it may limit human rights, those limitations are reasonable, necessary and proportionate to achieve the legitimate aims of the Bill and the Privacy Act.