Privacy, data and information sharing laws - where we've come from and where we're going
There’s been an ever increasing push for regulatory reform around data – how it’s used, shared and kept safe, particularly in relation to the personal information of individuals. Last year was a big year of change for the management of data and privacy in Australia.
- On 22 February 2018, the National Data Breaches (NDB) scheme came into effect, which introduced a raft of new1 obligations including fines of up to $2.1million for serious failures to comply.
- On 25 May 2018, the EU’s General Data Protection Regulation (GDPR) came into effect, impacting Australian organisations2.
- On 31 January 2019 (after a number of extensions), the opt-out period for My Health Records ended, with the centralised electronic system becoming the default for Australia's health information3.
2019 looks set to be another watershed year of change for Australia’s privacy, data and information sharing laws, with a number of proposed changes already on the agenda.
Privacy Laws / OAIC – we’re not done yet
The honeymoon period for the NDB scheme appears to be over already and the OAIC has welcomed4 announcements, on 24 and 25 March 20195, that legislation will be introduced to beef up Australia’s existing privacy laws, increasing penalties and online safeguards. The legislation is set to be drafted in the second half of 2019 and supposedly will include:
- A new penalty regime under the Privacy Act which will increase penalties for all entities covered (including social media and online platforms operating in Australia) from a max of $2.1million to:
- $10 million for serious or repeated breaches; or
- three times the value of any benefit obtained through misuse of information; or
- 10% of a company’s annual domestic turnover, whichever is the greatest.
- New infringement notice powers with new penalties of up to $63k for bodies corporate or $12.6k for individuals for failure to co-operate to resolve minor breaches.
- Additional options available to the OAIC to ensure breaches are addressed.
- Brand new rules specifically addressing social media/online platforms, including:
- A requirement to stop using or disclosing personal information of an individual on request for further and better particulars
- Development of a social media “code”, which will focus on transparency of data sharing and more specific consent requirements for collection/distribution/use of personal information.
- Specific rules for the management of sensitive information about children and other vulnerable groups.
Relevant findings from the current digital platforms inquiry by the ACCC are also slated for inclusion, with its final report due sometime in June 20196.
Further, the Consumer Data Rights (CDR) regime is also planned to come into effect on 1 July 2019, with slight amendments to the scope of the Privacy Act occurring as a result. The amendments will make small business operators subject to the Privacy Act in relation to personal information, where they hold an accreditation under the new CDR laws7. The privacy of all CDR data will be governed by the CDR privacy safeguards.
New bar for social media and information sharing companies
In addition to the new requirements and code for social media companies referred to above, the government made a huge announcement8 following the livestreamed murder of 50 people by the perpetrator of the Christchurch mosque shootings on 15 March 2019, with world first legislation proposed.
The Criminal Code Amendment (Sharing of Abhorrent Violent Material) Bill 2019 (the Bill) has now passed through both houses. The Bill introduces an offence for failure to remove abhorrent violent material from social media and information sharing platforms expeditiously, with penalties similar to those put forward for serious breaches under the Privacy Act’s new penalty scheme. These include fines of up to 10% of a company’s annual turnover, and a maximum sentence of three years imprisonment for individuals found guilty of the offence. Notification requirements and corresponding penalties for failures to notify are also introduced under the Bill.
While there’s been heavy criticism that the Bill is rushed following the announcement last week9, the proposed formation of a task force to assist in the development of the law around this increasingly important issue is a welcome one.
 https://www.oaic.gov.au/media-and-speeches/statements/oaic-welcomes-increased-enforcement-powers-to-keep-australians-personal-information-safe-online  https://www.minister.communications.gov.au/minister/mitch-fifield/news/tougher-penalties-keep-australians-safe-online
 https://www.legislation.gov.au/Details/C2019B00025; https://parlinfo.aph.gov.au/parlInfo/download/legislation/ems/r6281_ems_58a7c56b-36e3-4388-acf8-58455b983a76/upload_pdf/698114.pdf;fileType=application%2Fpdf
 https://which-50.com/labor-vows-to-reform-terrible-new-encryption-laws/ ; https://www.innovationaus.com/2019/04/New-social-media-laws-pointless ; https://www.computerworld.com.au/article/659559/social-media-companies-decry-threat-jail-execs-over-terror-streaming/