Privacy Awareness Week (6-12 May, 2024) - changes to the Privacy Act that could impact your organisation
To mark Privacy Awareness Week from 6 to 12 May 2024, we are sharing five Privacy Act updates with important legal changes that could impact your organisation.
Penalties for non-compliance with the Privacy Act 1988
One of the most significant changes has been the increase in maximum fines for serious or repeated violations of the Privacy Act 1988, which have increased from the previous cap of A$2 million to a new cap of A$50 million, three times the value of the benefit obtained by the organisation that is reasonably attributable to the conduct which caused the breach, or if the court cannot determine the value of the benefit, 30% of the organisation's adjusted turnover during the breach turnover period for the contravention.
These changes have been undertaken to better align penalties with the potential consequences of privacy breaches, ensuring that penalties provide meaningful deterrents for all organisations. Penalties of this size are also more consistent with the penalties under international frameworks like the EU’s General Data Protection Regulation (GDPR).
The significant increase in potential fines highlights the necessity for businesses to maintain stringent compliance with data protection laws in order to avoid substantial financial repercussions.
Should you have any concerns that your business may not be compliant with the Act, or to prepare for the coming changes, feel free to reach out to us to discuss how we can assist you with your data protection frameworks and practices (it's never too late to conduct an audit!).
Important changes to the Privacy Act which are on the way in 2024
Upcoming amendments to the Privacy Act are expected to include the broadening of the definitions and reach of the Act to include additional types of personal information, akin to the EU's GDPR.
These expected changes have been announced by the Federal Government in response to the Attorney-General’s 2023 Privacy Act review. Following the results of this process, Australians may have greater control over their personal data, including more straightforward access and robust consent processes.
As the revised Privacy Act is likely to impose more stringent requirements on all Australian businesses, it’s best to start upgrading your privacy and cyber policies now so that you’re ready when the changes come into effect.
If you need assistance with this, feel free to get in touch.
Did you know that many Australian companies are also required to comply with the EU’s General Data Protection Regulation, or GDPR?
The GDPR mandates compliance from any entity interacting with EU residents, transcending traditional geographical boundaries.
This means that Australian organisations engaging with European markets, either directly or through online interactions, must adhere to the EU’s requirements.
The penalties for non-compliance are high, with fines reaching up to €20 million or 2% of the company’s global annual turnover, whichever is greater. Beyond financial penalties, non-compliance risks significant reputational damage and loss of consumer trust.
Achieving GDPR compliance in Australia involves integrating GDPR requirements with existing frameworks including the Privacy Act. Key steps include conducting Data Privacy Assessments, ensuring clear consent processes, and maintaining transparency about data usage.
Law & Cyber’s Special Counsel Dr Roberto Musotto is admitted to practise law in both Italy and Australia, making him perfectly suited to advise on your compliance obligations under GDPR.
Please reach out to Roberto if you have any GDPR related questions or need assistance with privacy related issues more broadly.
“Protecting your business and your clients or customers is about more than just awareness. It’s about resilience, education and vigilance.”
One of the anticipated amendments to the Privacy Act is the removal of the small business exclusion, which currently exempts businesses with an annual turnover of less than A$3 million.
The vast majority of Australian businesses have annual turnover of less than $3 million. Currently most of these businesses are not required to comply with the Privacy Act, because of concerns regarding compliance costs and the view that small businesses' practices were not regarded as being a significant threat to privacy.
However, the government has signaled its intention to remove the small business exclusion to better reflect the amount of personal information now collected by organisations of all sizes. This change, which will apply to both for-profit and not-for-profit entities, is expected to significantly expand the scope of the Act, making it applicable to an additional 2 million organisations across Australia. The intention behind this amendment is to enhance privacy protections and ensure that all businesses' handling personal data uphold the same standards of accountability and security.
The government has also acknowledged that significant work is required before this reform can be put in place, including an impact analysis to better understand the likely effect on small businesses and the support needed for small businesses to adjust their privacy practices, to facilitate compliance with the Act and the provision of appropriate support.
Small businesses should start preparing now by assessing their current data protection measures and planning necessary upgrades to comply with the new requirements.
Our team is here to help guide you through these changes and ensure your business is ready to undertake these additional compliance requirements - contact us for further information.
Navigating the CCPA.
As the last in our series of five posts for #PrivacyAwarenessWeek we take another look at international legislation that can be relevant to Australian businesses.
The California Consumer Privacy Act (CCPA) sets a benchmark for privacy rights, allowing consumers to have more control over personal information that businesses collect about them. Although it originates in California, the CCPA can apply to some Australian businesses, particularly those that operate in California, sell to California residents, or collect personal information from California residents.
Understanding and complying with overseas regulations like the CCPA becomes crucial for global business operations, especially for those in e-commerce, software services, and technology sectors.
What does this mean for Australian businesses?
From providing clear disclosures about data collection to ensuring robust mechanisms for consumer data requests, CCPA compliance is not just a regulatory requirement, it's a significant component of retaining customer trust and corporate responsibility.
If your business regularly deals with US entities, reach out to us to ensure your practices are up to par and turn regulatory challenges into competitive advantages.