As of yesterday, the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Privacy Enforcement Act) is now in effect after receiving Royal Assent on 12 December 2022.
As we have previously shared, the Privacy Enforcement Act increases the maximum penalties for serious or repeated privacy breaches. For body corporates/organisations this increases the penalty from the current $2.22 million to whichever is the greater of:
-
$50 million;
-
if the court can determine the value of the benefit that the body corporate, and any related body corporate, have obtained directly or indirectly and that is reasonably attributable to the conduct constituting the contravention—3 times the value of that benefit;
-
if the court cannot determine the value of that benefit—30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention.
The Act also provides the Australian Information Commissioner with greater enforcement powers to enable privacy breaches to be resolved more quickly and efficiently through more effective information-sharing powers.
While the Privacy Act review has been ongoing since 2020 with an increase to the maximum penalties long-expected, the Privacy Enforcement Act was a quick response to recent major data breaches. Attorney-General, Mark Dreyfus stated that “significant privacy breaches in recent months have shown existing safeguards are outdated and inadequate. These reforms make clear to companies that the penalty for a major data breach can no longer be regarded as the cost of doing business”.
This is just the first step in what is likely to be significant amendments to the Privacy Act that will follow from the Attorney General’s Department’s ongoing review.
We expect that the regulator will start to take a far firmer approach to companies failing to secure their customer’s personal information and now carries a big stick to use in that process.
Stephanie Mayhew also contributed to this article.
Copyright 2025 K & L Gates