The Australian Privacy Commissioner will be able to issue million-dollar fines to government agencies and companies for serious and repeated privacy breaches under a new law.
The reforms, which Commonwealth Attorney-General Nicola Roxon has dubbed the most significant changes to privacy laws in more than 20 years, passed on Thursday and are expected to come into force in about 15 months. Ms Roxon introduced a discussion paper on mandatory reporting of breaches in October.
The law gives privacy commissioner Timothy Pilgrim new powers, including the ability to investigate both groups at his discretion, in the same way that he currently can individuals.
"I can get written undertakings and if they're not complied with, I can get them enforced through the courts and where there is a serious or repeated breach, go to court to ask civil penalties be imposed on them," Mr Pilgrim said.
The maximum penalty for both government agencies and private organisations is $1.1 million. The law brings both under one set of privacy principles, instead of two.
Mr Pilgrim will also be able to require companies to develop privacy codes for new technologies that collect customers' personal information, which the law does not currently regulate. "If there is no one in the industry to do so I will be able to impose [codes] ... this is the way the act is being developed in a technology-neutral way," he said.
The Australian Privacy Foundation's policy committee chair Nigel Waters said the new powers, while welcome, will make little difference to people's privacy protections, largely because the law does not give them a right to have a complaint determination made.
"The Commissioner has had the power under the [Privacy] Act since 1988 to make a determination which sets out whether he thinks laws have been broken and to produce remedies ... the problem is successive commissioners have only made nine in 23 years," he said.
"Without a determination the complainant can't appeal to the courts. We've had thousands over the years denied the right to know what the commissioner thinks about their complaints and to challenge them if they don't agree."
Mr Pilgrim said most complaints were resolved privately.
The law will also have wide-ranging implications for the handling and distribution of customers' personal information.
Credit providers will be able to record and provide customers' repayment history to banks if after two weeks they have not repaid loans they have defaulted on.
Companies will also now be responsible for the way their customers' personal information is handled by their offshore counterparts, such as call centres.
Mr Waters said this weakened, rather than strengthened, privacy protections at a time when information was frequently transferred across borders through cloud computing and social media networks.
"This approach assumes the Australian government is in a position to do something about breaches that occur in another country," he said.
"At the end of the day the only redress is if the company decides to bring civil proceedings against the country which is nowhere near as effective as an individual being able to complain directly about the breach."
Some of the changes made into law:
- Companies can give customers' personal information to offshore counterparts, like call centres, but are responsible for the way they deal with it.
- Credit providers can give customers' repayment history to other organisations if a loan hasn't been paid back two weeks after default.
- Companies are required to give people an easy "opt-out" from direct marketing material, regardless of whether personal information was collected initially for direct marketing or for a secondary use.