Over the last six months, there have been several strong indications that the risk profile of cyber and data privacy enforcement for organisations doing business in Australia is rapidly increasing.
Not only is Australia’s Government focussed on positioning Australia as a global leader in cyber security by 2030, it has (finally) forged ahead with long awaited privacy law reforms, with changes to maximum penalties and enforcement powers fast tracked in December 2022 and further developments regarding the more comprehensive review of the adequacy of Australia’s privacy laws expected by the end of 2023. More recently, Australia’s privacy regulator (the OAIC) has commenced investigations into a number of large cyber-breaches which have affected the personal information of millions of Australians.
The fact of increased cyber and privacy enforcement risk in Australia was essentially confirmed this week when the federal Government announced in the Budget 2023/24 that the OAIC will receive over $60 million over the next few years to fund increased enforcement activities.
Specifically, an additional $17.8 million has been allocated for FY 2023/24 and $45 million over four years to increase the OAIC’s enforcement of Australia’s privacy laws. Other funding for data privacy and cyber security in the Budget 2023/24 includes:
This allocation of substantial additional funding comes after apparent structural changes at the OAIC which suggest its internal investigative and enforcement teams have been strengthened. On 2 May 2023, Australia’s Attorney-General, the Hon. Mark Dreyfus KC, MP announced that the Australian Government would immediately begin looking for a new Privacy Commissioner to oversee the enforcement of the Privacy Act 1988 (Cth) (the Act). Currently, Angelene Falk acts as both the Information Commissioner and the Privacy Commissioner but will remain only as the former. The Attorney General’s announcement follows the OAIC’s recruitment of Penny Snowden, former Australian Federal Police General Counsel, in around February 2023 as Assistant Commissioner, Dispute Resolution and the advertisement of legal and investigative positions in around April 2023 to fill a newly created Major Investigations Branch which was established to handle the recent uptick of significant cyber-attacks in Australia.
The developments referred to above are consistent with the Australian Government’s stated intention to increase the enforcement of Australia’s privacy laws and the cyber security of Australia more generally. They also build on several important developments in the privacy and cyber landscape in Australia in the last 6 months:
It seems almost certain that the OAIC will continue to ramp up its investigative and enforcement activity in relation to Australia’s privacy laws in the immediate future. In addition to investigation and prosecution risk, we expect increased risk of information gathering powers being exercised by the OAIC.
It is essential that organisations doing business in Australia are prepared for the OAIC to come knocking. Organisations should review their existing data handling and security practices to ensure they are in fact compliant with the ‘basics’. Documentation such as privacy policies, collection notices, data storage and retention policies, and cyber incident response plans should be reviewed and updated to the extent they are out of date, or non-compliant with Australia’s laws.