Commonwealth Coat of Arms of Australia

Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022

No. 83, 2022

An Act to amend the law in relation to privacy, and for other purposes

[Assented to 12 December 2022]

The Parliament of Australia enacts:

This Act is the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022.

(1) Each provision of this Act specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.

Commencement information
Column 1	Column 2	Column 3
Provisions	Commencement	Date/Details
1. The whole of this Act	The day after this Act receives the Royal Assent.	13 December 2022

Note: This table relates only to the provisions of this Act as originally enacted. It will not be amended to deal with any later amendments of this Act.

(2) Any information in column 3 of the table is not part of this Act. Information may be inserted in this column, or information in it may be edited, in any published version of this Act.

3 Schedules

Legislation that is specified in a Schedule to this Act is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to this Act has effect according to its terms.

Schedule 1—Amendments

Australian Communications and Media Authority Act 2005

1 At the end of subsection 59D(1)

Add:

; (q) a non‑corporate Commonwealth entity (within the meaning of the Public Governance, Performance and Accountability Act 2013) not otherwise covered by this subsection that is responsible for enforcing one or more laws of the Commonwealth.

Australian Information Commissioner Act 2010

2 Section 25

Omit “The”, substitute “(1) Subject to subsection (2), the”.

3 Paragraphs 25(e), (g) and (h)

Repeal the paragraphs.

4 Paragraph 25(k)

Omit “1988;”, substitute “1988.”.

5 Paragraph 25(l)

Repeal the paragraph.

6 At the end of section 25

Add:

(2) The Information Commissioner may only delegate the following functions or powers to a member of staff of the Office of the Australian Information Commissioner who is an SES employee, or an acting SES employee, or who holds, or is acting in, a position that is equivalent to, or higher than, a position occupied by an SES employee:

(a) the function conferred by section 55K of the Freedom of Information Act 1982 (making a decision on an IC review);

(b) the function conferred by section 73 of the Freedom of Information Act 1982 (discretion not to investigate a complaint);

(c) the function conferred by section 86 of the Freedom of Information Act 1982 (obligation to notify on completion of investigation);

(d) making determinations for the purposes of section 52 of the Privacy Act 1988.

7 Paragraph 29(2)(a)

Repeal the paragraph, substitute:

(a) both of the following apply:

(i) the information was acquired by the person in the course of performing an information commissioner function or exercising a related power;

(ii) the person records, discloses or otherwise uses the information in the course of performing an information commissioner function or exercising a related power; or

(aa) both of the following apply:

(i) the information was acquired by the person in the course of performing a freedom of information function or exercising a related power;

(ii) the person records, discloses or otherwise uses the information in the course of performing a freedom of information function or exercising a related power; or

(ab) both of the following apply:

(i) the information was acquired by the person in the course of performing a privacy function or exercising a related power;

(ii) the person records, discloses or otherwise uses the information in the course of performing a privacy function or exercising a related power; or

8 Paragraph 29(2)(aa)

Reletter as paragraph (ac).

Privacy Act 1988

9 Paragraph 5B(3)(b)

Omit “Territory;”, substitute “Territory.”.

10 Paragraph 5B(3)(c)

Repeal the paragraph.

11 Subsection 6(1)

Insert:

alternative complaint body has the meaning given by subsection 50(1).

related body corporate: see subsection (8).

12 Section 13G

Before “An”, insert “(1)”.

13 Section 13G (penalty)

Repeal the penalty.

14 At the end of section 13G

Add:

(1A) Subsection (1) is a civil penalty provision.

Note: Section 80U deals with civil penalty provisions in this Act.

(2) The amount of the penalty for a contravention of subsection (1) by a person other than a body corporate is an amount not more than $2,500,000.

(3) The amount of the penalty for a contravention of subsection (1) by a body corporate is an amount not more than the greater of the following:

(a) $50,000,000;

(b) if the court can determine the value of the benefit that the body corporate, and any related body corporate, have obtained directly or indirectly and that is reasonably attributable to the conduct constituting the contravention—3 times the value of that benefit;

(c) if the court cannot determine the value of that benefit—30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention.

(4) Subsection (3) applies despite paragraph 82(5)(a) of the Regulatory Powers Act.

(5) For the purposes of paragraph (3)(c), the adjusted turnover of a body corporate during a period is the sum of the values of all the supplies that the body corporate, and any related body corporate, have made, or are likely to make, during the period, other than:

(a) supplies made from any of those bodies corporate to any other of those bodies corporate; or

(b) supplies that are input taxed; or

(c) supplies that are not for consideration (and are not taxable supplies under section 72‑5 of the A New Tax System (Goods and Services Tax) Act 1999); or

(d) supplies that are not made in connection with an enterprise that the body corporate carries on; or

(e) supplies that are not connected with the indirect tax zone.

(6) Expressions used in subsection (5) that are also used in the A New Tax System (Goods and Services Tax) Act 1999 have the same meaning as in that Act.

(7) For the purposes of paragraph (3)(c), the breach turnover period for a contravention means the longer of the following periods:

(a) the period of 12 months ending at the end of the month in which the contravention ceased, or proceedings in relation to the contravention were instituted (whichever is earlier);

(b) the period:

(i) starting at the beginning of the month in which the contravention occurred or began occurring; and

(ii) ending at the same time as the period determined under paragraph (a).

15 Subparagraphs 25(1)(a)(i) and 25A(1)(a)(i)

Omit “this Act (other than section 13G)”, substitute “this Part”.

16 At the end of section 26WA

Add:

• The Commissioner may obtain information or documents in relation to actual or suspected eligible data breaches.

17 Paragraphs 26WK(3)(c) and 26WR(4)(c)

After “the”, insert “particular”.

18 At the end of Part IIIC

Add:

Division 4—Commissioner’s powers to obtain information or documents relating to eligible data breaches

26WU Power to obtain information and documents relating to eligible data breaches

(1) This section applies if the Commissioner has reason to believe that a person or entity has information or documents, or can answer questions, that are relevant to either or both of the following matters (the relevant matters):

(a) an actual or suspected eligible data breach of an entity;

(b) an entity’s compliance with the requirements in Division 3 of this Part.

(2) Without limiting subsection (1), the relevant matters may relate to one or more of the following:

(a) whether the entity is required to comply with one or more of those requirements;

(b) the conduct or events that led to, or may have led to, the application of one or more of those requirements to the entity;

(d) the actual or suspected eligible data breach that has, or may have, happened;

(e) the particular kind or kinds of information involved in the actual or suspected eligible data breach;

(f) the steps taken to notify individuals affected by the actual or suspected eligible data breach.

(3) The Commissioner may give to the person or entity a written notice requiring the person or entity:

(a) to give information of the kind specified in the notice to the Commissioner that relates to the matter; or

(b) to produce documents of the kind specified in the notice to the Commissioner that relate to the matter; or

Note: For a failure to give information etc., see section 66.

(4) A notice given by the Commissioner under subsection (3) must state:

(a) the place at, or manner in which, the information or document is to be given or produced or the questions are to be answered; and

(b) the time at which, or the period within which, the information or document is to be given or produced or the questions are to be answered.

(5) If documents are produced to the Commissioner in accordance with a requirement under subsection (3), the Commissioner:

(a) may take possession of, and may make copies of, or take extracts from, the documents; and

(b) may retain possession of the documents for any period that is necessary for the purposes of assessing an entity’s compliance with this Part; and

(c) during that period must permit a person who would be entitled to inspect any one or more of the documents if they were not in the Commissioner’s possession to inspect at all reasonable times any of the documents that the person would be so entitled to inspect.

(6) This section is subject to section 70 but it has effect regardless of any other Commonwealth law.

(7) A person or entity is not liable to a penalty under the provisions of any other Commonwealth law because the person or entity gives information, produces a document or answers a question when required to do so under this section.

19 Division 3 of Part IV (heading)

Repeal the heading, substitute:

Division 3—Reports and information sharing by Commissioner

20 At the end of Division 3 of Part IV

Add:

33A Commissioner may share information with other authorities

(1) Subject to subsections (3) and (4), the Commissioner may share information or documents with a body covered by subsection (2) (a receiving body):

(a) for the purpose of the Commissioner exercising powers, or performing functions or duties, under this Act; or

(b) for the purpose of the receiving body exercising its powers, or performing its functions or duties.

(2) The following bodies are covered by this subsection:

(a) an enforcement body;

(b) an alternative complaint body;

(c) a State or Territory authority, or an authority of the government of a foreign country, that has functions to protect the privacy of individuals (whether or not the authority has other functions).

(3) The Commissioner may only share information or documents with a receiving body under this section if:

(a) the information or documents were acquired by the Commissioner in the course of exercising powers, or performing functions or duties, under this Act; and

(b) the Commissioner is satisfied on reasonable grounds that the receiving body has satisfactory arrangements in place for protecting the information or documents.

(4) If the Commissioner acquired the information or documents from an agency, the Commissioner may only share the information or documents with a receiving body under this section if the receiving body is an agency.

(5) If information is shared with a receiving body under this section, the receiving body may use the information only for the purposes for which it was shared.

(6) To avoid doubt, the Commissioner may share information or documents with a receiving body under this section whether or not the Commissioner is transferring a complaint or part of a complaint to the body.

33B Commissioner may disclose certain information if in the public interest etc.

Information may generally be disclosed if in the public interest

(1) The Commissioner may disclose information acquired by the Commissioner in the course of exercising powers or performing functions or duties under this Act if the Commissioner is satisfied that it is in the public interest to do so.

Public interest considerations

(2) In determining under subsection (1) whether the Commissioner is satisfied that a disclosure is in the public interest, the Commissioner:

(a) must have regard to the following:

(i) the rights and interests of any complainant or respondent;

(ii) whether the disclosure will, or is likely to, prejudice any investigation the Commissioner is undertaking;

(iii) whether the disclosure will, or is likely to, disclose the personal information of any person;

(iv) whether the disclosure will, or is likely to, disclose any confidential commercial information;

(v) whether the Commissioner reasonably believes that the disclosure would be likely to prejudice one or more enforcement related activities conducted by or on behalf of an enforcement body; and

(b) may have regard to any other matter the Commissioner considers relevant.

(3) This section does not limit any other powers the Commissioner has to disclose information under this Act or any other law of the Commonwealth.

21 After paragraph 33C(1)(c)

Insert:

(ca) the ability of an entity subject to Part IIIC to comply with that Part, including the extent to which the entity has processes and procedures in place to:

(i) assess suspected eligible data breaches; and

(ii) provide notice of eligible data breaches to the Commissioner and to individuals at risk from such breaches;

22 At the end of section 33C

Add:

(3) Without limiting subsection (2), if the Commissioner has reason to believe that an entity or file number recipient being assessed has information or a document relevant to the assessment the Commissioner may, by written notice, require the entity or file number recipient to give the information or produce the document within the period specified in the notice, which must not be less than 14 days after the notice is given to the entity or file number recipient.

Note: For a failure to give information etc., see section 66.

(4) The Commissioner must not give a notice under subsection (3) unless the Commissioner is satisfied that it is reasonable in the circumstances to do so, having regard to the following:

(a) the public interest;

(b) the impact on the entity or file number recipient of complying with the notice;

(5) An enforcement body is not required to comply with a notice given by the Commissioner under subsection (3) if the chief executive officer of the enforcement body believes on reasonable grounds that compliance with the notice would be likely to prejudice one or more enforcement related activities conducted by or on behalf of the enforcement body.

(6) Subsection (3) is subject to section 70 but it has effect regardless of any other Commonwealth law.

(7) A person or entity is not liable to a penalty under the provisions of any other Commonwealth law because the person or entity gives information or produces a document when required to do so under subsection (3).

(8) The Commissioner may publish information relating to an assessment on the Commissioner’s website.

23 At the end of subsection 44(1)

Add:

Note: For a failure to give information etc., see section 66.

24 At the end of subsection 46(4)

Add:

Note: For a failure to give information etc., see section 66.

25 At the end of subsection 47(1)

Add:

Note: For a failure to give information etc., see section 66.

26 Subsection 50(1)

Omit “In this section”, substitute “In this Act”.

27 Subsection 50(1) (after paragraph (b) of the definition of alternative complaint body)

Insert:

(ba) the eSafety Commissioner; or

28 Subsection 50(1) (definition of Ombudsman)

Repeal the definition.

29 After subparagraph 52(1)(b)(ii)

Insert:

(iia) a declaration that the respondent must prepare and publish, or otherwise communicate, a statement about the conduct (see section 52A);

30 After paragraph 52(1A)(b)

Insert:

(ba) a declaration that the respondent must prepare and publish, or otherwise communicate, a statement about the conduct (see section 52A);

31 After subsection 52(1A)

Insert:

(1AAA) Without limiting subparagraph (1)(b)(ia) or paragraph (1A)(b), the steps specified by the Commissioner may include a requirement for the respondent to:

(a) engage, in consultation with the Commissioner, a suitably qualified independent adviser to review:

(i) the acts or practices engaged in by the respondent that were the subject of the complaint; and

(ii) the steps (if any) taken by the respondent to ensure that the conduct referred to in the determination is not repeated or continued; and

(iii) any other matter specified in the declaration that is relevant to those acts or practices, or that complaint; and

(b) provide a copy of the review to the Commissioner.

32 After subsection 52(5)

Insert:

(5A) The Commissioner may publish a determination made under this section on the Commissioner’s website.

33 After section 52

Insert:

52A Determination—requirement to notify conduct constituting interference with privacy of individual

(1) If a determination under section 52 includes a declaration mentioned in subparagraph 52(1)(b)(iia) or paragraph 52(1A)(ba), the respondent must, within 14 days after receiving the determination (or such longer period as the Commissioner allows):

(a) prepare a statement, in consultation with the Commissioner, setting out:

(i) the identity and contact details of the respondent or, if the respondent is the principal executive of an agency, the agency; and

(ii) a description of the conduct engaged in by the respondent that constitutes the interference with the privacy of an individual; and

(iii) the steps (if any) undertaken, or to be undertaken, by the respondent to ensure the conduct is not repeated or continued; and

(iv) any other information required by the declaration to be included in the statement; and

(b) if required by the declaration—give a copy of the statement to the complainant or, if the complaint is a representative complaint, to each class member identified as affected by the determination, in the manner specified by the declaration; and

(c) if required by the declaration—publish, or otherwise communicate, the statement in the manner specified by the declaration; and

(d) give the Commissioner, within 14 days after the end of the period specified in the declaration, evidence that the actions required by paragraphs (b) and (c) were taken in accordance with this section and the declaration.

(2) The matters specified by the Commissioner for the purposes of subsection (1) must be reasonable and appropriate.

34 Division 3 of Part V (heading)

Repeal the heading, substitute:

Division 3—Enforcement of determinations

35 At the end of section 55

Add:

; and (d) must prepare and publish, or otherwise communicate, a statement in accordance with a declaration included in the determination under subparagraph 52(1)(b)(iia) or paragraph 52(1A)(ba) and section 52A.

36 At the end of section 58

Add:

37 At the end of section 59

Add:

; and (d) the preparation, publishing or communicating of a statement in accordance with a declaration included in the determination under subparagraph 52(1)(b)(iia) or paragraph 52(1A)(ba) and section 52A.

38 Subsection 66(1)

Repeal the subsection, substitute:

Basic contravention

(1) A person contravenes this subsection if:

(a) the person is required to give information, answer a question or produce a document or record under this Act; and

(b) the person refuses or fails to do so.

Civil penalty: 60 penalty units.

39 After subsection 66(1)

Insert:

Multiple contraventions

(1AA) A person commits an offence if:

(a) the person is a corporation; and

(b) the person engages in conduct that constitutes a system of conduct or a pattern of behaviour; and

Penalty: 300 penalty units.

40 Subsection 66(1B)

After “(1)”, insert “or (1AA)”.

41 Subsection 66(1B) (note)

Repeal the note, substitute:

Note: A person who wishes to rely on this subsection bears an evidential burden in relation to the matter in this subsection: see subsection 13.3(3) of the Criminal Code and section 96 of the Regulatory Powers Act.

42 Paragraph 67(b)

Omit “, whether or not pursuant to a requirement under section 44”.

43 Subsection 70(1)

Omit “is not entitled to require”, substitute “must not exercise a power under this Act that requires”.

44 After Division 1 of Part VIB

Insert:

Division 1A—Infringement notices

80UB Infringement notices

Provisions subject to an infringement notice

(1) Subsection 66(1) of this Act is subject to an infringement notice under Part 5 of the Regulatory Powers Act.

Note: Part 5 of the Regulatory Powers Act creates a framework for using infringement notices in relation to provisions.

Infringement officer

(2) For the purposes of Part 5 of the Regulatory Powers Act, each of the following is an infringement officer in relation to the provision mentioned in subsection (1):

(a) the Commissioner;

(b) a member of the staff of the Commissioner who holds, or is acting in, an office or position that is equivalent to an SES employee.

Relevant chief executive

(3) For the purposes of Part 5 of the Regulatory Powers Act, the Commissioner is the relevant chief executive in relation to the provision mentioned in subsection (1).

Extension to external Territories

(4) Part 5 of the Regulatory Powers Act, as that Part applies in relation to the provision mentioned in subsection (1), extends to every external Territory.

45 Application of amendments

(1) Subsection 59D(1) of the Australian Communications and Media Authority Act 2005, as amended by this Schedule, applies in relation to authorised disclosure information acquired by the ACMA before or after the commencement of this item.

(2) Subsection 29(2) of the Australian Information Commissioner Act 2010, as amended by this Schedule, applies in relation to information acquired before or after the commencement of this item.

(3) Section 13G of the Privacy Act 1988, as amended by this Schedule, does not apply in relation to an act done, or a practice engaged in, before the commencement of this item.

(4) Paragraphs 26WK(3)(c) and 26WR(4)(c) of the Privacy Act 1988, as amended by this Schedule, apply in relation to statements prepared after the commencement of this item.

(5) A notice may be given under section 26WU of the Privacy Act 1988, as added by this Schedule, in relation to an actual or suspected eligible data breach that occurred, or may have occurred, before or after the commencement of this item.

(6) Section 33A of the Privacy Act 1988, as added by this Schedule, applies in relation to the sharing of information or documents after the commencement of this item, whether the information or documents were obtained by the Commissioner before or after that commencement.

(7) Section 33B of the Privacy Act 1988, as added by this Schedule, applies in relation to the disclosure of information after the commencement of this item, whether the information was obtained by the Commissioner before or after that commencement.

(8) Section 33C of the Privacy Act 1988, as amended by this Schedule, applies in relation to:

(a) assessments started before the commencement of this item but not concluded at that commencement; and

(b) assessments started after that commencement.

(9) Section 52 of the Privacy Act 1988, as amended by this Schedule, applies in relation to:

(a) the investigation of complaints that started before the commencement of this item but not finally dealt with at that commencement; and

(b) the investigation of complaints that started after that commencement.

(10) Subsection 52(5A) of the Privacy Act 1988, as inserted by this Schedule, applies in relation to determinations made by the Commissioner before or after the commencement of this item.

[Minister’s second reading speech made in—

House of Representatives on 26 October 2022

Senate on 21 November 2022]

(113/22)