House of Representatives

Explanatory Memorandum

(Circulated by authority of the Attorney-General, the Hon Mark Dreyfus KC MP)

Notes on Clauses

Preliminary

Clause 1 - Short title

1. This clause provides for the short title of the Act to be the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022.

Clause 2 - Commencement

2. This clause provides for the commencement of each provision in the Bill, as set out in the table. Item 1 in the table provides that the whole of this Act will come into effect on the day after the Act receives Royal Assent.

Clause 3 - Schedules

3. Clause 3 provides that each Act specified in the Schedule is amended or repealed as set out in the Schedule. Clause 3 also provides that any other item in a Schedule of the Bill will have effect according to its terms.

GENERAL OUTLINE

4. The Bill amends the Privacy Act 1988 (Privacy Act), the Australian Information Commissioner Act 2010 (AIC Act) and the Australian Communications and Media Authority Act 2005 (ACMA Act) to increase penalties under the Privacy Act, provide the Australian Information Commissioner (the Commissioner) with enhanced enforcement powers, and provide the Commissioner and the Australian Communications and Media Authority (ACMA) with greater information sharing powers.

Australian Communications and Media Authority Act 2005

Item 1 - Subsection 59D(1)

5. This item will ensure the ACMA is able to disclose information to a non-corporate Commonwealth entity (within the meaning of the Public Governance, Performance and Accountability Act 2013) that is responsible for enforcing one or more laws of the Commonwealth.

6. The amendment would ensure the ACMA is able to disclose information without needing to list an exhaustive list of agencies. The amendment is important because for many functions and powers that non-corporate Commonwealth entities are exercising, taking prompt action is critical to help ensure further harm is minimised or avoided. For example, prompt disclosure of information by the ACMA following a data breach could help ensure that financial crime and fraud does not occur.

7. Disclosures are limited only to non-corporate Commonwealth entities, and not the full range of Commonwealth entities. This will ensure disclosures cannot be made to corporate Commonwealth entities that have a separate legal personality from the Commonwealth. This limitation is appropriate due to corporate Commonwealth entities being able to operate commercially with a degree of independence from the policies and direction of the Australian Government. Further, disclosure can only occur where the entity has a role enforcing a law of the Commonwealth. The ACMA Chair will be able to set conditions that must be adhered to by the receiving agency.

8. The proposed amendment is consistent with paragraphs 59D(1)(l) and (o), which allow the ACMA to share information with a general class of agencies from the States and Territories, and regulators from foreign countries.

Australian Information Commissioner Act 2010

Item 2 - Section 25

9. This item is a technical amendment to allow for the insertion of subsection 25(2), and to reflect that the Commissioner may only delegate specific functions or powers subject to the limitation in subsection 25(2).

Item 3 - Paragraphs 25(e), (g) and (h)

10. This item repeals paragraphs 25(e), (g) and (h). This purpose of this item is to allow the Commissioner to delegate the following functions or powers to a member of staff of the Office of the Australian Information Commissioner (OAIC) to ensure the OAIC's workload can be managed effectively:

a.

the function conferred by section 55K of the Freedom of Information Act 1982 (FOI Act) (making a decision on an Information Commissioner review)

b.

the function conferred by section 73 of the FOI Act (discretion not to investigate, or continue to investigate, an FOI complaint), and

c.

the function conferred by section 86 of the FOI Act (obligation to notify on completion of FOI investigation).

Item 4 - Paragraph 25(k)

11. This item is a technical amendment to reflect that paragraph 25(k) is the final paragraph, due to paragraph 25(l) being repealed.

Item 5 - Paragraph 25(l)

12. This item repeals paragraph 25(l). This purpose of this item is to allow the Commissioner to delegate the following functions or powers to a member of staff of the OAIC:

a.

making determinations for the purposes of section 52 of the Privacy Act after completing a privacy investigation.

Item 6 - At the end of section 25

13. This item limits the Commissioner's expanded delegation power in items 3 and 5 to Senior Executive Service (SES) employees, or acting SES employees. This safeguard reflects that decisions made under sections 55K, 73 and 86 of the FOI Act and section 52 of the Privacy Act are of significance, and as such should only be exercised by employees that have the relevant skills and expertise.

Item 7 - Paragraph 29(2)(a)

14. This item repeals paragraph 29(2)(a) and substitutes it with paragraphs 29(2)(a), (aa) and (ab). This item provides that the following scenarios will not be considered an unauthorised dealing with information, and therefore will not be subject to the offence provision under subsection 29(1):

a.

If a person acquires information in the course of performing an information commissioner function or exercising a related power, and records, discloses or uses the information in the course of performing that same function or power (paragraph 29(2)(a)), or

b.

If a person acquires information in the course of performing a freedom of information function or exercising a related power, and records, discloses or uses the information in the course of performing that same function or power (paragraph 29(2)(aa)), or

c.

If a person acquires information in the course of performing a privacy function or exercising a related power, and records, discloses or uses the information in the course of performing that same function or power (paragraph 29(2)(ab)).

15. The purpose of this item is to clarify that the exception to section 29 applies to any uses of information for the same function (being either an information commissioner function, freedom of information function, or a privacy function) under the AIC Act for which it was collected. This would allow, for example, information from a Notifiable Data Breach statement to be used in a subsequent investigation into potential Australian Privacy Principle (APP) 11 breaches, as they both fall within the Commissioner's privacy functions.

Item 8 - Paragraph 29(2)(aa)

16. This item is a technical amendment to re-letter paragraph 29(2)(aa) to paragraph 29(2)(ac), due to the insertion of the new paragraph 29(2)(aa) above.

Privacy Act 1988

Item 9 - Paragraph 5B(3)(b)

17. This item is a technical amendment to reflect that paragraph 5B(3)(b) will be the final paragraph in subsection 5B(3), due to paragraph 5B(3)(c) being removed.

Item 10 - Paragraph 5B(3)(c)

18. This item will remove the requirement in paragraph 5B(3)(c) that an organisation or operator that is not described in subsection 5B(2) must collect or hold personal information in Australia or an external Territory either before or at the time of the act or practice in order to have an Australian link.

19. Currently, foreign organisations must meet obligations under the Privacy Act if the entity has an Australian link. A foreign organisation will have an Australian link if the organisation or operator carries on business in Australia and collects or holds information from a source inside Australia. However, when a breach of the Privacy Act occurs, it may be difficult to establish that these foreign organisations collect or hold personal information from a source in Australia. For example, foreign organisations may collect personal information about Australians but do not collect Australians' information directly from Australia, and instead collect the information from a digital platform that does not have servers in Australia and may therefore not be considered 'in Australia'.

20. The purpose of this item is to update the provision to reflect that in the digital era, organisations can use technology such that they do not collect or store information directly from Australia. However, these organisations will often still otherwise be carrying on a business in Australia, and should be required to meet the obligations under the Privacy Act.

21. This mirrors similar provisions in the Australian Consumer Law (ACL). Subsection 5(1) of the Competition and Consumer Act 2010 extends the application of the relevant ACL provisions to conduct by Australian incorporated bodies or those carrying on business in Australia, and Australian citizens or people ordinarily resident within Australia.

Item 11 - Subsection 6(1)

22. This item inserts a definition for the term 'alternative complaint body', and sets out that it has the meaning given by subsection 50(1). The term alternative complaint body is used in new section 33A.

23. This item notes that 'related body corporate' has the meaning given to it by subsection 6(8), which states that for the purposes of this Act, the question of whether bodies corporate are related to each other is determined in the manner in which that question is determined under the Corporations Act 2001.

Item 12 - Section 13G

24. This item is a technical amendment to allow for the insertion of subsection 13G(2).

Item 13 - Section 13G (penalty)

25. This repeals the penalty in section 13G.

Item 14 - At the end of section 13G

26. This item amends section 13G to increase the civil penalty for a serious or repeated interference with privacy. This will ensure penalties are adequate to protect Australians' personal information, and promote effective deterrence.

27. An entity will contravene this subsection if the entity does an act, or engages in a practice, that is a serious interference with the privacy of an individual, or the entity repeatedly does an act, or engages in a practice, that is an interference with the privacy of one or more individuals.

28. Subsection 13G(2) sets out the penalty for a serious or repeated interference with privacy by a person other than a body corporate. The item increases the penalty from 2,000 penalty units to $2.5 million.

29. Subsection 13G(3) sets out the penalty for a serious or repeated interference with privacy by a body corporate. The item increases the penalty from 10,000 penalty units to an amount not more than the greater of:

a.

$50 million (paragraph 13G(3)(a));

b.

three times the value of the benefit the body corporate and any related body corporate obtained from the conduct constituting the serious or repeated interference with privacy if the court can determine this value (paragraph 13G(3)(b)); or

c.

30% of the adjusted turnover of the body corporate, during the breach turnover period for the contravention if the court cannot determine the value of the benefit under paragraph 13G(3)(b) (paragraph 13G(3)(c)).

30. Subsection 13G(4) sets out that subsection 13G(3) applies despite paragraph 82(5)(a) of the Regulatory Powers (Standard Provisions) Act 2014 (Regulatory Powers Act), which states that when determining a pecuniary penalty for a body corporate, the pecuniary penalty must not be more than 5 times the pecuniary penalty specified for the civil penalty provision. This is necessary to sufficiently deter breaches of privacy, particularly for large digital platforms, and ensuring that individuals are adequately protected. By strengthening penalties, Australia will be signalling its expectations that businesses undertake robust privacy and security practices.

31. Subsection 13G(5) sets out what the adjusted turnover of the body corporate will be for the purposes of determining a penalty under paragraph 13G(3)(c). The adjusted turnover will mean the sum of the value of all the supplies made by the body corporate or related bodies corporate in connection with Australia's indirect tax zone. There are exceptions such as supplies made between related bodies corporate, supplies that are input taxed, supplies that are not for consideration and are not taxable, supplies that are not made in connection with the body corporate's business, and supplies that are not connected with the indirect tax zone.

32. Subsection 13G(6) clarifies that any expressions used in subsection 13G(5) that are also used in the A New Tax System (Goods and Services Tax) Act 1999 have the same meaning as in that Act.

33. Subsection 13G(7) sets out what the breach turnover period will be for the purposes of determining a penalty under paragraph 13G(3)(c). The breach turnover period provides the formula for determining the period of time over which the adjusted turnover may be valued.

34. The breach turnover period will be the longer of either:

a.

The period of contravention. This period will begin at the start of the month in which the contravention occurred, or began occurring. The period will end at the end of the month in which the body corporate ceased the contravention, or proceeding in relation to the contravention were instituted (whichever is earlier).

b.

The 12-month period ending at the end of the month in which the body corporate ceased the contravention, or proceeding in relation to the contravention were instituted (whichever is earlier).

35. This will result in the minimum breach turnover period being at least 12 months. The purpose of the breach turnover period is to ensure the quantum of a penalty is linked to the economic impact of the body corporate's conduct or to the damage caused by its conduct over the relevant period of time.

Item 15 - Subparagraphs 25(1)(a)(i) and 25A(1)(a)(i)

36. This item clarifies that compensation orders under section 25 and other orders to compensate loss or damage under section 25A can be ordered if a civil penalty order has been made under subsection 82(3) of the Regulatory Powers Act against the entity for a contravention of a civil penalty provision of Part IIIA of the Privacy Act (credit reporting). This is a technical amendment to ensure that the new civil penalty in item 38 is not captured.

Item 16 - At the end of section 26WA

37. This item updates the simplified outline of Part IIIC to include a summary of the Commissioner's new powers to obtain information or documents in relation to actual or suspected eligible data breaches.

Item 17 - Paragraphs 26WK(3)(c) and 26WR(4)(c)

38. This item clarifies that when an entity must prepare a statement for the Commissioner following an eligible data breach under section 26WK or 26WR, the entity must include information about the particular kind or kinds of information as opposed to just the kind or kinds of information.

39. This is necessary to ensure the Commissioner has a comprehensive knowledge of the information compromised in an eligible data breach in order to assess the particular risk of harm to individuals, and whether the recommendations about the steps that individuals should take in response to the eligible data breach outlined in a notification are sufficient.

Item 18 - At the end of Part IIIC

40. This item adds in the new section 26WU, which provides the Commissioner with information gathering powers in relation to actual or suspected eligible data breaches.

41. This is necessary to ensure the Commissioner has a comprehensive knowledge of the information compromised in an actual or suspected eligible data breach in order to assess the particular risk of harm to individuals. For example, additional information may assist the Commissioner in determining whether to issue a notification under section 26WR to direct an entity to notify the Commissioner and affected individuals about an eligible data breach.

42. Subsection 26WU(1) provides that section 26WU applies if the Commissioner has reason to believe that a person or entity has information or documents or can answer questions in relation to relevant matters, being an actual or suspected eligible data breach of an entity, or an entity's compliance with notification requirements. Subsection 26WU(2) provides a list of non-exhaustive factors that the Commissioner may consider to be relevant matters.

43. Subsection 26WU(3) provides that the Commissioner may, by written notice, require a person or entity to give information, produce a document or answer questions of a kind specified in the notice. Subsection 26WU(4) outlines the procedural requirements of the notice, being that the Commissioner must state the place and time which the information, document or answers must be provided. Note 1 in subsection 26WU(3) clarifies that section 66 contains the penalties for failure to give information.

44. Subsection 26WU(5) outlines how the Commissioner must handle documents produced. The Commissioner may take possession of and make copies of the documents, or take extracts from the documents. The Commissioner may retain the documents for any period that is necessary for assessing an entity's compliance with the notification requirements, and during this time must permit a person who is entitled to inspect the documents.

45. Subsection 26WU(6) provides that the Commissioner must not exercise this power where the Attorney-General has furnished to the Commissioner a certificate under section 70 certifying that the giving to the Commissioner of information concerning a specified matter, or the production to the Commissioner of a specified document or other record, would be contrary to the public interest.

46. Subsection 26WU(7) ensures that if a person or entity complies with a notice, they will not be liable to a penalty under the provisions of any other Commonwealth law because they gave information, produced a document or answered a question.

Item 19 - Division 3 of Part IV (heading)

47. This item repeals the heading and substitutes it to read 'Division 3 - Reports and information sharing by Commissioner'. This is to reflect the Commissioner's new information sharing powers.

Item 20 - At the end of Division 3 of Part IV

Section 33A - Commissioner may share information with other authorities

48. Section 33A sets out the Commissioner's power to share information (including personal information) or documents with a receiving body for the purpose of the Commissioner or the receiving body exercising powers, or performing functions or duties. The purpose of this section is to ensure the Commissioner is able to transfer a complaint to a receiving body, and also share information for the purposes of the Commissioner or the receiving body exercising their powers, or performing their functions and duties. This may occur when, for example, the Commissioner is holding information that relates to both an investigation under the Privacy Act, and under the receiving body's framework. Section 33A is an authorisation by law for the purposes of APP 6.2(b).

49. Subsection 33A(2) sets out that an enforcement body (as defined in subsection 6(1)), an alternative complaint body (as defined in subsection 50(1)), a State or Territory authority or an authority of the government of a foreign country that has privacy functions will be a receiving body, and can therefore receive information and documents under subsection 33A(1).

50. The Commissioner's ability to share information is subject to the safeguards in subsections 33A(3) to (5).

51. Subsection 33A(3) provides that the Commissioner may only share information or documents with a receiving body if the information or documents were acquired by the Commissioner in the course of exercising powers, or performing functions or duties under the Privacy Act, and the Commissioner is satisfied on reasonable grounds that the receiving body has satisfactory arrangements in place for protecting the information or documents. This safeguard is based on the information sharing arrangements in Part VIIIA.

52. Subsection 33A(4) provides that if the Commissioner acquired the information or documents from an agency, the Commissioner may only share the information or documents with a receiving body under this section if the receiving body is an agency. The term 'agency' is defined in subsection 6(1). The purpose of this section is to ensure that where information or documents are obtained from an Australian Government agency, the Commissioner would only be able to share those documents with another Australian Government agency (and not a State or Territory authority, or foreign body).

53. Subsection 33A(5) provides that the receiving body may only use the information for the purposes for which it was shared. The purpose of this provision is to clarify that a receiving body must only use information shared under subsection 33A(1) to the extent that they are a receiving body and only for the purposes of exercising powers, performing functions or duties as that receiving body.

54. Subsection 33A(6) makes it clear that the Commissioner is not required to transfer a complaint or part of a complaint to share information or documents with a receiving body.

Section 33B - Commissioner may disclose certain information if in the public interest

55. Subsection 33B(1) sets out the Commissioner's power to disclose certain information (including personal information) acquired in the course of the Commissioner exercising powers or performing functions or duties under the Privacy Act if the Commissioner is satisfied the disclosure is in the public interest. The purpose of subsection 33B(1) is to empower the Commissioner to disclose or publish information relating to privacy and personal information, for example information about an ongoing investigation on the OAIC's website. This will ensure Australians are informed about privacy issues and to reassure the community that the OAIC is discharging its duties. Section 33B is an authorisation by law for the purposes of APP 6.2(b).

56. Paragraph 33B(2)(a) sets out that, when determining whether a disclosure is in the public interest, the Commissioner must have regard to the rights and interests of any complainant or respondent; whether the disclosure will or is likely to prejudice any investigation the Commissioner is undertaking; whether the disclosure will or is likely to disclose the personal information of any person; whether the disclosure will or is likely to disclose any confidential commercial information; and whether the Commissioner reasonably believes that the disclosure would be likely to prejudice one or more enforcement related activities conducted by or on behalf of an enforcement body.

57. Paragraph 33B(2)(b) sets out that the Commissioner may also have regard to any other matter the Commissioner considers relevant when determining if a disclosure is in the public interest. For example, the Commissioner may have regard to any consultation with affected entities, and any actions affected entities have taken (such as where the entity has already notified individuals).

58. Subsection 33B(3) clarifies that section 33B does not limit the Commissioner's other powers to disclose information.

Item 21 - After paragraph 33C(1)(c)

59. Paragraph 33C(1)(ca) sets out that the Commissioner may conduct an assessment relating to the ability of an entity subject to Part IIIC (Notification of eligible data breaches) to comply with that Part. This includes the extent to which the entity has processes and procedures in place to assess suspected eligible data breaches and provide notice of eligible data breaches to the Commissioner and to individuals at risk from such breaches. Under subsection 33C(2), the Commissioner may conduct an assessment in such manner as the Commissioner considers fit.

60. The purpose of paragraph 33C(1)(ca) is to expand the Commissioner's power to assess an entity's compliance with the Privacy Act to include Part IIIC. Assessments are an important educative tool, and allow the Commissioner to assess compliance in the absence of a breach of the Privacy Act or a complaint having been made.

Item 22 - At the end of section 33C

61. To assist the Commissioner to conduct assessments, this item will give the Commissioner a new information gathering power for the purposes of conducting an assessment of any kind.

62. Subsection 33C(3) provides that the Commissioner may, by written notice, require an entity or file number recipient to produce information or a document that is relevant to the Commissioner undertaking an assessment of that entity or file number recipient under section 33C. Subsection 33C(4) outlines the procedural requirements of the notice, being that the information or document must be produced within the period specified in the written notice, which must not be less than 14 days after the notice is given to the entity or file number recipient. Note 1 in subsection 33C(3) clarifies that section 66 contains the penalties for failure to give information.

63. The purpose of subsection 33C(3) is to ensure entities cooperate with an assessment by providing the relevant information and documents the Commissioner needs to undertake an assessment. This will ensure that assessments are thorough, and not limited to information that is publicly available.

64. Subsections 33C(4) to (5) contain safeguards to the Commissioner's power to give a notice under subsection 33C(3). Subsection 33C(4) sets out that the Commissioner must not give a notice unless the Commissioner is satisfied that it is reasonable in the circumstances to do so, having regard to the public interest, the impact on the entity or file number recipient of complying with the notice, and any other matters the Commissioner considers relevant. Subsection 33C(5) sets out that an enforcement body (as defined in subsection 6(1)) is not required to comply with a notice if the chief executive officer of the enforcement body believes on reasonable grounds that compliance with the notice would be likely to prejudice one or more enforcement related activities conducted by or on behalf of the enforcement body.

65. Subsection 33C(6) provides that the Commissioner must not exercise this power where the Attorney-General has furnished to the Commissioner a certificate under section 70 certifying that the giving to the Commissioner of information concerning a specified matter, or the production to the Commissioner of a specified document or other record, would be contrary to the public interest.

66. Subsection 33C(7) ensures that if a person or entity complies with a notice, they will not be liable to a penalty under the provisions of any other Commonwealth law because they gave information, produced a document or answered a question.

67. Subsection 33C(8) empowers the Commissioner to publish information relating to an assessment on the Commissioner's website. Subsection 33C(8) is an authorisation by law for the purposes of APP 6.2(b). The purpose of this item is to ensure Australians are informed about the Commissioner's assessments, and are aware of emerging privacy issues.

Item 23 - At the end of subsection 44(1)

68. This item adds Note 1 in subsection 44(1) which clarifies that section 66 contains the penalties for failure to give information.

Item 24 - At the end of subsection 46(4)

69. This item adds Note 1 in subsection 44(1) which clarifies that section 66 contains the penalties for failure to give information.

Item 25 - At the end of subsection 47(1)

70. This item adds Note 1 in subsection 47(1) which clarifies that section 66 contains the penalties for failure to give information.

Item 26 - Subsection 50(1)

71. This item repeals the reference to 'section' and substitutes it with 'Act' to reflect the reference to other authorities in multiple sections within the Privacy Act.

Item 27 - Subsection 50(1) (after paragraph (b) of the definition of alternative complaint body )

72. This item lists the eSafety Commissioner as an alternative complaint body. This is to ensure the Commissioner is able to transfer complaints and share information with the eSafety Commissioner where permitted under the Act. For example, in the event of overlap between privacy complaints and complaints concerning cyberbullying, cyber abuse and image-based abuse.

Item 28 - Subsection 50(1) (definition of Ombudsman )

73. This item repeals the definition of ombudsman in subsection 50(1), as it is already defined in subsection 6(1).

Item 29 - After subparagraph 52(1)(b)(ii)

74. Subparagraph 52(1)(b)(iia) sets out that after investigating a complaint, the Commissioner may find the complaint substantiated and make a determination that includes a declaration that the respondent must prepare and publish, or otherwise communicate, a statement about the conduct (see section 52A).

Item 30 - After paragraph 52(1A)(b)

75. Paragraph 52(1A)(ba) sets out that after investigating an act or practice of a person or entity under subsection 40(2), the Commissioner may make a determination that includes a declaration that the respondent must prepare and publish, or otherwise communicate, a statement about the conduct (see section 52A).

Item 31 - After subsection 52(1A)

76. Subsection 52(1AAA) complements the Commissioner's power in subparagraph 52(1)(b)(ia) and paragraph 52(1A)(b) to make a determination that includes a declaration that a respondent must take specified steps to ensure conduct, or an act or practice, constituting an interference with the privacy of an individual is not repeated or continued.

77. Subsection 52(1AAA) provides that the steps specified by the Commissioner may include a requirement for the respondent to engage, in consultation with the Commissioner, a suitably independent and qualified adviser to assist this process. For example, the adviser may review any relevant business practices or processes that contributed to the non-compliance, or the remediation of the non-compliance. This will help ensure respondents understand what led to the non-compliance, and how to improve practices.

78. The adviser is to review the acts or practices engaged in by the respondent that were the subject of the complaint, the steps (if any) taken by the respondent to ensure that the conduct referred to in the determination is not repeated or continued, and any other matter specified in the declaration that is relevant to those acts or practices, or that complaint (paragraph 52(1AAA)(a)).

79. The Commissioner may include a requirement for the respondent to provide a copy of the review to the Commissioner (paragraph 52(1AAA)(b)).

Item 32 - After subsection 52(5)

80. This item clarifies that the Commissioner has the power to publish a determination made under section 52, which represents a final finding, on the OAIC website. The purpose of this item is to ensure information about the Commissioner's determinations is publicly available, and the Australian community is aware of emerging privacy issues.

Item 33 - After section 52

81. This item inserts section 52A, which sets out the requirements and processes if the Commissioner makes a determination under section 52 which includes a declaration mentioned in subparagraph 52(1)(b)(iia) or paragraph 52(1A)(ba) that the respondent must prepare a statement, in consultation with the Commissioner, about the conduct that constituted the interference with the privacy of an individual.

82. Subsection 52A(1) sets out that the respondent must within 14 days (or such longer period as the Commissioner allows) prepare the statement, and, if required by the declaration, make the statement publicly available. The purpose of this item is to ensure that individuals are fully notified and aware of entities that have contravened the Privacy Act, in particular individuals who have been affected by the contravention.

83. Paragraph 52A(1)(a) sets out the requirements of the statement. The statement must set out the identity and contact details of the respondent or the agency (if the respondent is the principal executive of an agency), a description of the conduct engaged in by the respondent that constitutes the interference with the privacy of an individual, the steps (if any) undertaken or to be undertaken by the respondent to ensure the conduct is not repeated or continued, and any other information required by the declaration to be included in the statement.

84. Paragraph 52A(1)(b) sets out that, if required by the declaration, the respondent must give a copy of the statement to the complainant or, if the complaint is a representative complaint, to each class member identified as affected by the determination, in the manner specified by the declaration. Paragraph 52A(1)(c) sets out that, if required by the declaration, the respondent must publish, or otherwise communicate, the statement in the manner specified by the declaration (for example, on the respondent's website). Paragraph 52A(1)(d) sets out that the respondent will be required to provide the Commissioner with evidence, within 14 days after the end of the period specified in the declaration, that the actions required by paragraphs (b) and (c) have been undertaken.

85. Subsection 52A(2) contains a safeguard to the Commissioner's power to require the respondent to prepare and publish, or otherwise communicate, a statement. Subsection 52A(2) provides that the matters specified by the Commissioner regarding the preparation and publication or communication of the statement must be reasonable and appropriate, for example the Commissioner may consider the size of the entity, the scale of the contravention and the number of individuals affected.

Item 34 - Division 3 of Part V (heading)

86. This item clarifies that the heading for Division 3 of Part V relates to enforcement of determinations only.

Item 35 - At the end of section 55

87. Paragraph 55(d) sets out that if a determination made under section 52 applies in relation to an organisation or small business operator, the organisation or operator must prepare and publish, or otherwise communicate, a statement in accordance with a declaration included in the determination under subparagraph 52(1)(b)(iia), or paragraph 52(1A)(ba) and section 52A.

Item 36 - At the end of section 58

88. Paragraph 58(d) sets out that if a determination made under section 52 applies in relation to an agency, the agency must prepare and publish, or otherwise communicate, a statement in accordance with a declaration included in the determination under subparagraph 52(1)(b)(iia), or paragraph 52(1A)(ba) and section 52A.

Item 37 - At the end of section 59

89. Paragraph 59(d) sets out that if a determination made under section 52 applies in relation to the principal executive of an agency, the principal executive must prepare and publish, or otherwise communicate, a statement in accordance with a declaration included in the determination under subparagraph 52(1)(b)(iia), or paragraph 52(1A)(ba) and section 52A.

Item 38 - Subsection 66(1)

90. This item repeals the criminal penalty in subsection 66(1) for failure to give information, answer a question or produce a document or record when required to do so under the Privacy Act, and substitutes it with a civil penalty for a basic contravention where a person is required to give information, answer a question or produce a document or record under the Act and refuses or fails to do so - for example, under section 44 or subsections 33C(3), 46(4) or 47(1). The penalty is 60 penalty units for a person, and therefore 300 penalty units for a body corporate (applying the multiplier in subsection 82(5) of the Regulatory Powers Act).

91. The purpose of converting subsection 66(1) from a criminal offence to a civil penalty provision is to allow the Commissioner to issue a civil penalty or an infringement notice for minor instances of non-compliance without having to resort to the prosecution of a criminal offence. Infringement notices will provide the Commissioner with a timely, cost-efficient enforcement outcome in relation to minor contraventions of section 66. The infringement notice provision will provide an alternative to litigation of a civil matter. This will enable the Commissioner to resolve privacy complaints and investigations more efficiently.

92. The supplementary infringement notice section is set out in item 44 (section 80UB).

93. Subsection 66(1) is subject to the safeguard in subsection 66(1B), which provides that subsection 66(1) does not apply if the person has a reasonable excuse, as outlined in subsection 66(3).

94. A separate criminal offence is set out in subsection 66(1AA) when a body corporate engages in multiple instances of non-compliance that constitute a system of conduct or a pattern of behaviour.

Item 39 - After subsection 66(1)

95. Subsection 66(1AA) sets out that a person will commit an offence if the person is a corporation and has engaged in conduct that constitutes a system of conduct or a pattern of behaviour, and the system of conduct or pattern of behaviour results in 2 or more contraventions of subsection 66(1). The penalty for the offence is 300 penalty units. Although this matches the civil penalty units for a basic contravention under subsection 66(1) by a body corporate, conduct regarded as criminal carries a greater stigma and this reflects the more serious nature of an offence under subsection 66(1AA). The purpose of subsection 66(1AA) is to enable the OAIC to refer matters to the Commonwealth Director of Public Prosecutions involving more serious, systemic conduct.

96. Subsection 66(1AA) is subject to the safeguard in subsection 66(1B), which provides that subsection 66(1) does not apply if the person has a reasonable excuse, as outlined in subsection 66(3).

Item 40 - Subsection 66(1B)

97. This item provides that subsection 66(1AA) will not apply if the person has a reasonable excuse, as outlined in subsection 66(3).

Item 41 - Subsection 66(1B) (note)

98. This item repeals the note in subsection 66(1B) and substitutes it with a note that states that if a person relies on subsection 66(1B), which provides that subsection 66(1) does not apply if the person has a reasonable excuse, the person bears the evidential burden. The details of the evidential burden are contained in subsection 13.3(3) of the Criminal Code Act 1995 for a criminal penalty, and section 96 of the Regulatory Powers Act for a civil penalty provision.

Item 42 - Paragraph 67(b)

99. This item clarifies that civil proceedings do not lie against a person in respect of loss, damage or injury of any kind suffered by another person because they made a statement, or gave a document or information, to the Commissioner. The item removes the caveat 'whether or not pursuant to a requirement under section 44' to reflect amendments in this Bill, including the Commissioner's new information gathering powers in relation to actual or suspected eligible data breaches in section 26WU.

Item 43 - Subsection 70(1)

100. Subsection 70(1) currently provides that if the Attorney-General issues a certificate in limited circumstances, the Commissioner cannot require a person to give particular information or produce a document or record to the Commissioner. This item clarifies that subsection 70(1) applies when the Commissioner is exercising a power to require information, document or records under the Privacy Act. For example, it would apply to the new information gathering powers in item 18.

Item 44 - After Division 1 of Part VIB

101. This item inserts the heading Division 1A - Infringement notices.

102. Subsection 80UB(1) provides that the basic contravention for failing to provide information, answer a question or produce a document or record, can be subject to an infringement notice under Part 5 of the Regulatory Powers Act.

103. The purpose of subsection 80UB(1) is to allow an infringement officer to issue an infringement notice instead of seeking a civil penalty for contraventions of subsection 66(1) where a person is required to give information, answer a question, produce a document or record, and the person refuses or fails to do so. This will enable the OAIC to resolve matters more efficiently.

104. Subsection 80UB(2) provides that the Commissioner and a member of the staff of the Commissioner who holds, or is acting in, an office or position that is equivalent to an SES employee will be an infringement officer for the purposes of exercising powers under Part 5 of the Regulatory Powers Act. Subsection 80UB(3) sets out that the Commissioner is the relevant chief executive for the purposes of exercising powers under Part 5 of the Regulatory Powers Act.

105. Subsection 80UB(4) makes it clear that Part 5 of the Regulatory Powers Act extends to every external Territory of Australia.

106. In accordance with subsection 104(2) of the Regulatory Powers Act, the amount to be stated in the infringement notice will be 12 penalty units for a person, and 60 penalty units for bodies corporate.

Item 45 - Application of amendments

107. This item provides the arrangements for how amendments made by Schedule 1 are to be applied.

108. The ACMA will be able to disclose authorised information under subsection 59D(1) of the ACMA Act regardless of whether the information was acquired by the ACMA prior to commencement of this item.

109. The clarification to section 29(2) of the AIC Act applies in relation to information acquired before or after the commencement of this item.

110. The increased penalties under section 13G do not apply in relation to an act done, or a practice engaged in, before the commencement of this item.

111. The requirement for eligible data breach statements to include information about 'particular' kinds of information under paragraphs 26WK(3)(c) and 26WR(4)(c) will only apply in relation to statements prepared after the commencement of this item.

112. The Commissioner will be able to give a notice to an entity or person under section 26WU to give information, produce a document or answer questions of a kind specified in the notice regardless of when the actual or suspected eligible data breach occurred or may have occurred.

113. The Commissioner will be able to disclose information or documents under section 33A regardless of whether the information or documents were obtained prior to commencement of this item.

114. The Commissioner will be able to disclose information under section 33B regardless of whether the information was obtained prior to commencement of this item.

115. The Commissioner will be able to give a notice to an entity under section 33C to produce information or documents in relation to an assessment only if the assessment has not yet been started, or has not yet concluded.

116. The Commissioner will be able to make a determination that includes the expanded declaration powers in section 52 if the investigation has not yet been started, or has not yet concluded.

117. The Commissioner will be able to publish a determination made under section 52, regardless of when the determination was made.