Privacy breaches & cyber security in Australia – heightened enforcement risk

Over the last six months, there have been several strong indications that the risk profile of cyber and data privacy enforcement for organisations doing business in Australia is rapidly increasing.

Not only is Australia’s Government focussed on positioning Australia as a global leader in cyber security by 2030, it has (finally) forged ahead with long awaited privacy law reforms, with changes to maximum penalties and enforcement powers fast tracked in December 2022 and further developments regarding the more comprehensive review of the adequacy of Australia’s privacy laws expected by the end of 2023. More recently, Australia’s privacy regulator (the OAIC) has commenced investigations into a number of large cyber-breaches which have affected the personal information of millions of Australians.

Additional funding for privacy enforcement and cyber security initiatives

The fact of increased cyber and privacy enforcement risk in Australia was essentially confirmed this week when the federal Government announced in the Budget 2023/24 that the OAIC will receive over $60 million over the next few years to fund increased enforcement activities.

Specifically, an additional $17.8 million has been allocated for FY 2023/24 and $45 million over four years to increase the OAIC’s enforcement of Australia’s privacy laws. Other funding for data privacy and cyber security in the Budget 2023/24 includes:

  • $23.4 million to assist small businesses mitigate cyber-attacks through training by Council of Small Business Organisations Australia;
  • $86.5 million to create a National Anti-Scam Centre to help ASIC fight scam websites;
  • $26.9 million to improve the efficiency and protection on Digital IDs; and
  • $88.8 million over 2 years to support the Consumer Data Right in banking, energy, and the non-bank lending sectors and deliver a cyber security uplift.

Strengthening the OAIC’s investigative and enforcement team

This allocation of substantial additional funding comes after apparent structural changes at the OAIC which suggest its internal investigative and enforcement teams have been strengthened. On 2 May 2023, Australia’s Attorney-General, the Hon. Mark Dreyfus KC, MP announced that the Australian Government would immediately begin looking for a new Privacy Commissioner to oversee the enforcement of the Privacy Act 1988 (Cth) (the Act). Currently, Angelene Falk acts as both the Information Commissioner and the Privacy Commissioner but will remain only as the former. The Attorney General’s announcement follows the OAIC’s recruitment of Penny Snowden, former Australian Federal Police General Counsel, in around February 2023 as Assistant Commissioner, Dispute Resolution and the advertisement of legal and investigative positions in around April 2023 to fill a newly created Major Investigations Branch which was established to handle the recent uptick of significant cyber-attacks in Australia.

Prior developments consistent with increasing enforcement risk

The developments referred to above are consistent with the Australian Government’s stated intention to increase the enforcement of Australia’s privacy laws and the cyber security of Australia more generally.  They also build on several important developments in the privacy and cyber landscape in Australia in the last 6 months:

  1. The fast tracking of changes to the Act in December 2022 when Australia’s Federal Parliament passed the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth). These changes included:
    1. increases to the maximum penalties for companies for serious or repeated interferences with privacy equal to the greater of $50 million or three times the value of the benefit obtained; and
    2. expanded regulatory powers for the OAIC and the Australian Communications and Media Authority which include information gathering and information sharing with other enforcement bodies.
  2. The more comprehensive review of the Act with further reforms expected in late 2023 following the release of the Privacy Act Review Report in February 2023 and a period of consultation which closed in late March 2023.
  3. The announcement by Australia’s first Minister for Cyber Security, the Hon. Clare O’Neil MP in February 2023 of the development of the 2023-2030 Australian Cyber Security Strategy, which sets an ambitious aspiration for Australia to become the most cyber secure nation in the world by the end of this decade.
  4. The OAIC’s commencement of significant investigations into some of the largest cyber-attacks in Australian history on Medibank, Optus and, as announced this week, Latitude Financial Services.Significantly, the Latitude investigation is the OAIC’s first joint investigation with a foreign regulator, being the New Zealand Office of the Privacy Commissioner.
  5. The OAIC’s decision to theme this year’s Privacy Awareness Week as “Back to Basics”. There is little doubt that recent cyber-attacks in Australia have put the security of personal information and data handling practices of businesses in Australia in the spotlight, and in particular, apparent failures by some businesses to destroy or de-identify personal information that is no longer required. Could the OAIC’s focus on reminding businesses to get the basics right be an indication that strict enforcement of Australia’s privacy laws (in addition to the major investigations already underway) is just around the corner?

Next steps

It seems almost certain that the OAIC will continue to ramp up its investigative and enforcement activity in relation to Australia’s privacy laws in the immediate future. In addition to investigation and prosecution risk, we expect increased risk of information gathering powers being exercised by the OAIC.

It is essential that organisations doing business in Australia are prepared for the OAIC to come knocking. Organisations should review their existing data handling and security practices to ensure they are in fact compliant with the ‘basics’. Documentation such as privacy policies, collection notices, data storage and retention policies, and cyber incident response plans should be reviewed and updated to the extent they are out of date, or non-compliant with Australia’s laws.