Australia’s progressive privacy law reforms may just be the incentive we have been waiting for…

5 Dec 22

In the wake of a series of significant privacy breaches, Australia has wasted no time in legislating tougher penalties for large companies.

Australia’s high-profile Optus and Medibank data breaches in recent months, amongst others, have revealed cracks in Australia’s privacy laws.

The new Government’s response has been to increase the penalties associated with serious breaches under the Privacy Act 1988 (Cth) (the Australian Privacy Act) as well as providing the Office of the Australian Information Commissioner (OAIC) with enhanced enforcement and information gathering and sharing powers. The instrument of choice? The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2002 (Bill).

What are the impending changes?

Upon Royal Assent (which is expected shortly), the financial penalties amendments will be as follows:

For persons other than body corporates:

  • The current penalty will increase to AU$2.5 million.

For body corporates:

  • The current penalty will change from AU$2.2 million to whichever is the greater of:
    • AU$50 million;
    • three times the value of any benefit obtained; or
    • if the court cannot determine the value of the benefit, 30% of the entity’s turnover in the relevant period for the contravention.

The Bill also grants the Australian Information Commissioner greater powers to resolve privacy breaches and quickly share information about data breaches to help protect affected individuals. All in all, these amendments are intended to ensure that the OAIC is better equipped to provide transparent and detailed information to the affected individuals.

The enactment of this Bill is only the first tranche in a series of planned reforms across the Australian privacy law landscape. The Australian Government is still in the process of reviewing the Australian Privacy Act more broadly, which has been in progress since December 2019. Despite the prolonged review attributed to the change in government, a report on the consultation on the Australian Privacy Act can be expected by the end of the year.

Will this have any flow on effects for New Zealand businesses?

The Bill has also broadened the extra-territorial jurisdiction of Australian privacy laws, resulting in New Zealand businesses being captured by the Australian Privacy Act in the future to the extent that they carry on business in Australia. Accordingly, New Zealand businesses carrying on business in Australia will need to revisit their current privacy practices and policies to ensure compliance once these amendments are in force.

Will New Zealand follow in Australia’s footsteps?

Prior to the Bill, penalties in Australia were already much more severe than those in New Zealand. The result of this Bill is that the already pre-existing disparity in penalties between us and our cousins over the ditch will widen.  In New Zealand, fines under our own Privacy Act 2020 are capped at NZ$10,000, however the Human Rights Tribunal may hear complaints from aggrieved individuals, damages awarded by the Tribunal being capped at NZ$350,000. While the 2020 amendments were a step forwards, further amendments will need to be undertaken in order to bring our privacy legislation and regulations up to speed with Australia’s, and more broadly, the more onerous General Data Protection Regulations.


Please don’t hesitate to reach out using the contact details below.

Want to know more?

If you have any questions, the Anderson Lloyd Team are available to assist and can be contacted here.

PDF version:here.