Key themes shaping Australian regulatory enforcement risk in 2024

Cyber, data, privacy and technology platforms

Key regulatory and enforcement developments in 2023

Continuing the trend from prior years, we saw ongoing focus from regulators, government and the general public on information privacy, cyber risk management and data considerations. We also saw the emergence of new areas of focus, with both hype and concern in equal measures about the possibilities and risks posed by AI.

Some key developments in this space included:

  • In November 2023, the Office of the Australian Information Commissioner (OAIC) commenced civil penalty proceedings (for only the second time in its history) against Australian Clinical Labs for breach of the Privacy Act 1988 (Cth).1 Importantly, this is the first time the OAIC has sought a civil penalty against an entity for (among other things) failures in connection with the response to a cyber incident and compliance with the Eligible Data Breach regime. In addition, two determinations of the OAIC emphasised the need for organisations to undertake an expeditious eligible data breach assessment.2
  • The Australian Communications and Media Authority (the ACMA) continued to prioritise enforcement of the Spam Act 2003 (Cth), completing nine investigations in FY23 that resulted in over $8 million in infringement notices.3
  • In related litigation to the regulatory enforcement matters, 2023 saw a number of data breach class actions commenced, including against Optus and Medibank in respect of their cyber breaches, each with claims centred on the failures relating to data handling, privacy compliance and cybersecurity.4
  • APRA released a final version of new Prudential Standard CPS 230 (Operational Risk Management) (CPS 230) which will apply to all APRA-regulated entities. The new standards will require significant uplifts to governance, compliance, contractual and incident response arrangements to address recent operational risk failures, including in respect of material cyber breaches.5 CPS 230 takes effect on 1 July 2025.
  • New rules were introduced under the Security of Critical Infrastructure Act 2018 (SOCI Act) requiring risk management programs to be in place for responsible entities of certain categories of critical infrastructure assets.
  • In November 2023, the Australian Signals Directorate, together with 19 other global partners, published Guidelines for secure AI system development.6 This was released following Australia signing the Bletchley Declaration of the AI Safety Summit, committing to the safe and responsible use of AI.7
  • In December 2023, industry codes registered with the eSafety Commissioner in respect of restricted online material came into effect.8 The eSafety Commissioner also issued notices to each of Google and X (formerly Twitter) for non-compliance with the Online Safety Act 2021 (Cth).
  • The ACCC continues to call for significant regulatory reform to address competition and consumer harms in relation to digital platforms. In December 2023, the Government responded to the ACCC's recommendations and indicated in principle support for regulatory reform that would involve economy-wide consumer measures (such as a prohibition on unfair trading); consumer measures to prevent scams; additional competition measures for platforms (such as mandatory codes); and targeted competition obligations on digital platforms (such as in relation to unfair self-preferencing and impediments to interoperability).9

What are the likely regulatory and enforcement developments in Australia in 2024?

We expect to see substantial legislative changes and regulatory activity in 2024.

  • Privacy Act Reform: on 28 September 2023, the Government responded to the Attorney-General's Privacy Act Review Report and committed to introducing legislative reform in 2024.10 The reforms will likely include an increase in the OAIC's enforcement powers and tools, and are expected to be implemented in stages, though we suspect fundamental reforms to privacy law may continue to be delayed and subject to further consultation.
  • 2023-2030 Australian Cyber Security Strategy: the strategy represents the Government's strategy to combat cyber risks and could result in new or expanded regulatory frameworks. The Government will shortly release a Consultation Paper to help address the new initiatives, identify gaps in existing laws and specifically look at amendments to the SOCI Act to strengthen protections for critical infrastructure. Organisations have the opportunity to make submissions until March 2024.11
  • Regulatory activity on cyber risks: we anticipate ASIC and APRA's focus on cyber risk and its associated impacts will continue, and expect these regulators to target enforcement activity as a way of driving industry standards. We also anticipate the OAIC will seek to exercise any broader regulatory toolkit, and continue its focus on response to cyber incidents.
  • Artificial Intelligence and online safety: the Government has indicated its intention to reform the Basic Online Safety Expectations regime to introduce new expectations for services using generative AI to minimise the production of unlawful and harmful material.12 The Government also announced it will bring forward the statutory review of the Online Safety Act 2021 (Cth), in addition to the review of the Combatting Misinformation and Disinformation Bill 2023.13
  • Regulation of digital platforms: the Government indicated its support for significant regulatory reform in relation to digital platforms and is undertaking further work to consult on these recommendations and implement them. We expect further updates in this space during 2024.

Key regulators and enforcement agencies in this area

OAIC, ACCC, ACMA, ASIC, APRA (for banks, insurers and superannuation funds), the Department of Home Affairs and the Australian Signals Directorate (for SOCI Act-regulated entities) and the Foreign Investment Review Board (FIRB) (for entities that are the subject of data conditions imposed as part of foreign investment acquisiton).

Key sectors of focus

Given all entities hold some form of customer and employee data, all are potential targets. However, any entity that holds particularly sensitive information should be on high alert. Digital platforms such as Amazon, Apple, Google, Meta and Microsoft will remain a focus of the ACCC.

Footnotes

  1. See https://www.oaic.gov.au/newsroom/oaic-commences-federal-court-proceedings-against-australian-clinical-labs-limited.

  2. See Privacy Commissioner (Pacific Lutheran College (Privacy) [2023] AICmr 98 and Datateks Pty Ltd (Privacy) [2023] AiCmr 97.

  3. See https://www.acma.gov.au/outcomes-compliance-priorities-2022-23.

  4. For further detail, see https://www.allens.com.au/insights-news/insights/2023/06/Takeaways-from-the-recent-Optus-and-Medibank-data-breach-class-actions/.

  5. Australian Prudential Regulation Authority, 'APRA finalises new prudential standard on operational risk' (Media Release, 17 July 2023).

  6. See https://www.cyber.gov.au/about-us/view-all-content/advice-and-guidance/guidelines-secure-ai-system-development and https://www.allens.com.au/insights-news/insights/2023/12/why-everyone-is-talking-about-ai-safety-and-cybersecurity/.

  7. See https://www.minister.industry.gov.au/ministers/husic/media-releases/australia-signs-bletchley-declaration-ai-safety-summit.

  8. See https://www.esafety.gov.au/industry/codes. The industry code in respect of class 1A and class 1B material for internet search engine services comes into effect on 12 March 2024. The eSafety Commissioner is consulting on industry codes for electronic services and designated internet services.

  9. https://treasury.gov.au/sites/default/files/2023-12/p2023-474029.pdf

  10. See https://www.ag.gov.au/rights-and-protections/publications/government-response-privacy-act-review-report. The Government has 'agreed' or 'agreed in-principle' with the majority of the proposals of the Report.

  11. For further information, see https://www.allens.com.au/insights-news/insights/2023/11/federal-government-releases-cyber-security-strategy/.

  12. The Honourable Michelle Rowland MP, 'Address to the National Press Club' (Speech, National Press Club, 22 November 2023) available at https://minister.infrastructure.gov.au/rowland/speech/address-national-press-club.

  13. See https://minister.infrastructure.gov.au/rowland/speech/address-national-press-club.