Privacy breaches & cyber security in Australia – heightened enforcement risk

Not only is Australia’s Government focussed on positioning Australia as a global leader in cyber security by 2030, it has (finally) forged ahead with long awaited privacy law reforms, with changes to maximum penalties and enforcement powers fast tracked in December 2022 and further developments regarding the more comprehensive review of the adequacy of Australia’s privacy laws expected by the end of 2023. More recently, Australia’s privacy regulator (the OAIC) has commenced investigations into a number of large cyber-breaches which have affected the personal information of millions of Australians.

Additional funding for privacy enforcement and cyber security initiatives

The fact of increased cyber and privacy enforcement risk in Australia was essentially confirmed this week when the federal Government announced in the Budget 2023/24 that the OAIC will receive over $60 million over the next few years to fund increased enforcement activities.

Specifically, an additional $17.8 million has been allocated for FY 2023/24 and $45 million over four years to increase the OAIC’s enforcement of Australia’s privacy laws. Other funding for data privacy and cyber security in the Budget 2023/24 includes:

• $23.4 million to assist small businesses mitigate cyber-attacks through training by Council of Small Business Organisations Australia;
• $86.5 million to create a National Anti-Scam Centre to help ASIC fight scam websites;
• $26.9 million to improve the efficiency and protection on Digital IDs; and
• $88.8 million over 2 years to support the Consumer Data Right in banking, energy, and the non-bank lending sectors and deliver a cyber security uplift.

Strengthening the OAIC’s investigative and enforcement team

This allocation of substantial additional funding comes after apparent structural changes at the OAIC which suggest its internal investigative and enforcement teams have been strengthened. On 2 May 2023, Australia’s Attorney-General, the Hon. Mark Dreyfus KC, MP announced that the Australian Government would immediately begin looking for a new Privacy Commissioner to oversee the enforcement of the Privacy Act 1988 (Cth) (the Act). Currently, Angelene Falk acts as both the Information Commissioner and the Privacy Commissioner but will remain only as the former. The Attorney General’s announcement follows the OAIC’s recruitment of Penny Snowden, former Australian Federal Police General Counsel, in around February 2023 as Assistant Commissioner, Dispute Resolution and the advertisement of legal and investigative positions in around April 2023 to fill a newly created Major Investigations Branch which was established to handle the recent uptick of significant cyber-attacks in Australia.

Prior developments consistent with increasing enforcement risk

The developments referred to above are consistent with the Australian Government’s stated intention to increase the enforcement of Australia’s privacy laws and the cyber security of Australia more generally.  They also build on several important developments in the privacy and cyber landscape in Australia in the last 6 months:

1. The fast tracking of changes to the Act in…