Cyber, data, privacy and technology platforms

Key regulatory and enforcement developments – 2022

We saw intense public and political scrutiny of cybersecurity and data handling practices by Australian companies in 2022. This arose in part from recent high profile data breaches (particularly those affecting Optus and Medibank), prompting the Australian Government to accelerate a process to reform the Privacy Act and reinforcing an existing trend for the OAIC, ASIC, APRA and the ACCC to take further action and increase their oversight over data matters more broadly.1

As part of this, there has been an increased focus on boards and senior management by key regulators. ASIC, APRA and the OAIC are all focused on the obligations of boards and senior management to oversee the assessment, mitigation and management of cyber risk and cyber governance failures and have repeatedly emphasised the criticality of board-level oversight of cyber and data risk issues.2

Other key developments in this space included:

  • The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 came into effect on 13 December 2022, providing for a significant increase in penalties associated with serious or repeated infringements with the privacy of individuals (from $2.2 to $50 million, or other fine based on three times the value of the benefit or 30% of adjusted turnover) and giving the OAIC enhanced enforcement and information gathering and sharing powers.3  This is the first tranche of the Australian Government's overhaul of privacy legislation with a more substantial set of changes being considered in 2023 (see below).  
  • Significant expansion of scope of Security of Critical Infrastructure legislation. Additional reforms to, and rules under, the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) came into effect, after the scope of the Act was greatly expanded to cover a wide range of additional industries and deal with cyber incidents. These included adding potential additional risk management program obligations to industries governed by the SOCI Act.
  • The Australian Communications and Media Authority (ACMA) continues to crack down on spam emails. In 2022, ACMA continued to utilise its powers in relation to spam emails, issuing some of its largest infringement notices ever and accepting multiple enforceable undertakings (including three infringement notices between $1.5 to $2.5 million for sending emails without consent or not containing adequate unsubscribe features).4
  • In the OAIC's case against Meta in February 2022, the Full Federal Court confirmed an earlier ruling that there was a prima facie case that Meta 'carries on a business' and collects personal information in Australia. Meta sought leave from the High Court to appeal the Full Court decision, with leave being granted in September 2022. The High Court will hear Meta's appeal in March 2023.
  • The ACCC focus on consumer rights and transparency by digital platform providers. As part of its Digital Platform Services Inquiry, the ACCC has recommended significant reforms targeting digital platforms, including potential new measures to safeguard consumers' privacy having regard to the large amounts of data held by digital platform providers. The ACCC has also continued to institute proceedings against large tech platforms for alleged contraventions of the Australian Consumer Law in relation to privacy and data. For example, Google was penalised $60 million for misleading representations to consumers about the collection and use of their personal location data on Android phones, following court action by the ACCC. However, a separate application by the ACCC alleging Google had contravened the Australian Consumer Law was dismissed by the Federal Court late last year.

Likely regulatory and enforcement developments – 2023

We expect to see substantial legislative change in 2023 in the privacy arena. We also expect to see increased regulatory scrutiny and enforcement activity around cybersecurity – a trend we were already seeing before the Optus and Medibank incidents.

  • Privacy Act Review: the Attorney-General released its broad-ranging Privacy Act Review Report 2022 on 16 February 2023. The report makes 116 substantial reform proposals which are intended to significantly strengthen and modernise Australian privacy law, including to bring it more closely in line with the GDPR. If enacted, this would constitute the largest change in privacy law since 2014. The proposed changes include:
    • providing consumers (including children and people experiencing vulnerability) with greater transparency, control and protections in relation to their personal information, such as improved quality of information about how information is collected, used and disclosed, improving individuals' control over personal information including introducing a right of erasure of personal information;
    • introducing a new, overarching 'fair and reasonable' test which must be satisfied for any handling of personal information, irrespective of whether consent has been obtained from an individual;
    • expanding the scope of information that is required to be protected under the Privacy Act, including new provisions dealing with de-identified information, and a proposal to recalibrate current exemptions from the Privacy Act (including the small business, employee records, political and journalism exemptions);
    • strengthening of the enforcement of privacy obligations, including by granting the OAIC additional and expanded enforcement powers, establishing a new direct right of action for individuals (which will give rise to a new class action cause of action) and potentially a tort for serious invasions of privacy; and
    • investigating an industry funding model for the OAIC which would, if introduced, result in a more robustly resourced OAIC.

      These proposals will be considered further during the first half of 2023, with legislation to follow. Assuming most, or all, of the proposals are implemented in legislation, it is anticipated that a reasonable implementation period would be provided for organisations to uplift their compliance processes.
  • ASIC: ASIC has stated that it will take enforcement action where it considers there are egregious failures to mitigate the risks of cyber-attacks and related cyber resilience governance failures.5 We may also see actions against company directors and officers with respect to cybersecurity incidents, with ASIC Chairman Joe Longo specifically identifying cyber resilience as the 'No. 1 risk' for boards.6
  • APRA: APRA has also issued warnings to regulated entities in light of high profile breaches and will continue to prioritise strengthening the resilience of regulated entities in relation to cyber risk.7 APRA has stated entities should strengthen controls regarding high-risk processes and transactions, ensure they are complying with notification requirements under CPS234 (Information Security),8 and set guidance for its expectations of boards.9 APRA's requirements on the management of operational risk by regulated entities and their boards is expected to be codified through the implementation of new CPS 230 (currently under consultation).10
  • OAIC: even before the recent high-profile data breaches, the OAIC has paid increasing attention to compliance with Australian Privacy Principle 11.2, which requires personal information to be destroyed or deidentified where it is no longer required, including two recent determinations against organisations found to have breached it.11 We expect the OAIC to be increasingly active in the enforcement space during 2023.
  • ACCC: businesses can expect continuing regulatory scrutiny in 2023 in relation to issues of consumer consent and data handling practices. For example, the ACCC has highlighted a range of concerns about the operation of online retail marketplaces including around the use of algorithms to rank and display products, the collection and use of consumer data, inadequate dispute resolution processes and a need for more consumer protections. Unfair contract terms will also become illegal from November 2023. It is expected that this will become a significant enforcement tool used by the ACCC to address privacy policy concerns. If recommendations from Interim Report 5 of the Digital Platform Services Inquiry are implemented, this could significantly change the current status quo for digital platforms.  The ACCC has stated that digital platforms should strengthen processes for reporting scams, harmful apps (both for users and digital platforms themselves), and fake reviews, introduce verification processes for business users to reduce the risks of scams and improve reliability of reviews and ensure user access to appropriate dispute resolution, which would be supported by the establishment of a new digital platform ombuds scheme. The ACCC also recommended the introduction of service-specific codes of conduct that apply to designated digital platforms. These may include targeted obligations for digital platforms to prevent anticompetitive self-preferencing and tying, address data advantages, ensure fair treatment of business users and improve switching, interoperability and transparency.

Key regulators and enforcement agencies in this area

OAIC, ACCC, ACMA, ASIC, APRA (for banks, insurers and superannuation funds), the Department of Home Affairs/CISC (Cyber and Infrastructure Security Centre) for SOCI Act regulated entities and FIRB/Australian Signals Directorate for entities which are the subject of data/security conditions imposed as part of acquisitions by offshore purchasers.

 

Key sectors of focus

Given all entities hold some form of customer and employee data, all are potential targets. However, any entity which holds particularly sensitive information should be on high alert. Critical infrastructure assets and digital platforms will likewise be a focus.

Footnotes

  1. OAIC: OAIC opens investigation into Optus over data breach - Home, OAIC opens investigation into Medibank over data breach - Home. ASIC: Guidance for consumers impacted by the Optus data breach | ASIC, Guidance for consumers impacted by the Medibank Private and AHM cyber incident | ASIC, APRA: Optus data breach: an update for APRA regulated entities | APRA, Medibank Data Breach: Update for APRA-regulated entities | APRA, APRA’s interim response to Medibank cyber breach | APRA

  2. APRA: Improving cyber resilience: the role boards have to play | APRA, Medibank Data Breach: Update for APRA-regulated entities | APRA, APRA’s interim response to Medibank cyber breach | APRA ASIC: Cyber risk: Be prepared | ASIC, Key questions for an organisation’s board of directors | ASIC, Cyber resilience good practices | ASIC, Optus Medibank hacks 2022: ASIC chairman Joe Longo says cybersecurity breaches are ‘wake-up call’ for directors (afr.com) OAIC: Guide to securing personal information (oaic.gov.au).

  3. Privacy Act changes raise the bar (allens.com.au)

  4. https://www.acma.gov.au/investigations-spam-and-telemarketing#outcomes-for-2022

  5. ASIC's Corporate Plan shaped by emerging environmental, economic and technology (allens.com.au)

  6. Optus Medibank hacks 2022: ASIC chairman Joe Longo says cybersecurity breaches are ‘wake-up call’ for directors (afr.com)

  7. APRA's Supervision Priorities – 1 February 2022 Information paper - APRA's Supervision priorities January 2022

  8. Optus data breach: an update for APRA regulated entities | APRA, Medibank Data Breach: Update for APRA-regulated entities | APRA, APRA’s interim response to Medibank cyber breach | APRA

  9. APRA’s interim response to Medibank cyber breach | APRA

  10. https://www.apra.gov.au/operational-risk-management

  11. https://www.allens.com.au/insights-news/insights/2022/10/get-your-data-retention-and-destruction-program-up-and-running/