House of Representatives

Explanatory Memorandum

(Circulated by authority of the Attorney-General, the Hon Mark Dreyfus KC MP)

GENERAL OUTLINE

1. The Bill amends the Privacy Act 1988 (Privacy Act), the Australian Information Commissioner Act 2010 (AIC Act) and the Australian Communications and Media Authority Act 2005 (ACMA Act) to increase penalties under the Privacy Act, provide the Australian Information Commissioner (the Commissioner) with greater enforcement powers, and provide the Commissioner and the Australian Communications and Media Authority (ACMA) with greater information sharing powers.

Increased penalties

2. The Bill will increase the penalty under section 13G of the Privacy Act for serious or repeated interferences with privacy to $2.5 million for a person other than a body corporate, and for a body corporate the maximum penalty will increase to an amount not exceeding the greater of $50 million; three times the value of the benefit obtained; or, if the court cannot determine the value of the benefit, 30% of their adjusted turnover in the relevant period.

Enhanced enforcement powers

3. The Bill will provide the Office of the Australian Information Commissioner (OAIC) with enhanced enforcement powers, including by:

a.

expanding the types of declarations that the Commissioner can make in a determination at the conclusion of an investigation

b.

amending the extraterritorial jurisdiction of the Privacy Act to ensure foreign organisations that carry on a business in Australia must meet the obligations under the Act, even if they do not collect or hold Australians' information directly from a source in Australia

c.

providing the Commissioner with new powers to conduct assessments

d.

providing the Commissioner new infringement notice powers to penalise entities for failing to provide information without the need to engage in protracted litigation, and

e.

strengthening the Notifiable Data Breaches scheme to ensure the Commissioner has comprehensive knowledge of the information compromised in an eligible data breach to assess the particular risk of harm to individuals.

Enhanced information sharing powers

4. The Bill will enhance the Commissioner's ability to share information by:

a.

clarifying that the Commissioner is able to share information gathered through the Commissioner's information commissioner functions, freedom of information functions and privacy functions

b.

providing the Commissioner with the power to disclose information or documents with an enforcement body, an alternative complaint body, and a State, Territory or foreign privacy regulator for the purpose of the Commissioner or the receiving body exercising their powers, or performing their functions or duties, and

c.

providing the Commissioner with the power to publish a determination or information relating to an assessment on the Commissioner's website; and disclose all other information acquired in the course of exercising powers or performing functions or duties if it is in the public interest.

5. The Bill will also amend the ACMA Act to expand ACMA's ability to share information to any non-corporate Commonwealth entity (as defined in section 11 of the Public Governance, Performance and Accountability Act 2013) responsible for enforcing a Commonwealth law where the information will enable or assist the entity to perform or exercise any of its functions or powers.

Delegations

6. The Bill will amend the AIC Act to allow the Commissioner to delegate certain functions or powers to a member of staff of the OAIC.

FINANCIAL IMPACT

7. This Bill may increase Commonwealth revenue due to increased penalties. This will be dependent on the number and quantum of successful civil penalty orders sought by the Commissioner.