Offshore data collection to be subject to Privacy Act

Brandon How

Foreign companies operating in Australia could soon be subject to the Privacy Act even if they do not collect or hold citizen data “directly from a source in Australia” under new laws that also propose significantly higher penalties for data breaches.

Attorney-General Mark Dreyfus introduced the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 to Parliament on Wednesday, having foreshadowed the changes over the weekend.

At almost the same time, Medibank revealed the scale of its data breach was far worse than first anticipated, with all 3.9 million customers served by the health insurer and its subsidiaries potentially compromised.

The bill will amend the Privacy Act to raise the maximum penalty of serious or repeated breaches from $2.22 million to $50 million or three-times the value of any benefit obtained through the misuse of information, whatever if greater.

If the value of the data cannot be determined, the firm will be fined 30 per cent of its adjusted turnover in the relevant period.

Attorney-General Mark Dreyfus

Mr Dreyfus said the amendments will help ensure “Australia’s privacy laws remain fit for purpose in a globalised world”.

“To ensure the Privacy Act can be enforced against global technology companies who may process Australians’ information on servers offshore, the Bill will amend the Act’s extraterritoriality provisions,” he said.

“This will mean that even if foreign organisations do not collect or hold Australians’ information directly from a source in Australia, they must still meet the obligations under the Privacy Act so long as they ‘carry on a business’ in Australia.”

Further, firms affected by eligible data breaches involving Australian data held offshore will be required to report these incidents under the Notifiable Data Breach scheme introduced in 2018.

The amendments come as global tech companies clash with Australian governments on the prospect of data localisation.

Other additional powers that will be conferred to the Australian Information Commissioner include an expansion of the declarations that can be made at the conclusion of an investigation, new powers to conduct assessments, new infringement notice powers to penalise entities that fail to provide information, and a strengthening of the notifiable data breaches scheme.

Home Affair Minister Clare O’Neil flagged increased penalties for data breaches in the wake of the Optus compromise last month that affected the data of almost 10 million Australians. While most had some personal details compromised, around 2.1 million people had their ID documents compromised, including 43,000 Medicare card numbers.

Since then, Medibank has disclosed an equally significant data breach affecting its customers, which was initially thought to be limited to international student customers and those under the ahm brand.

On Wednesday, the health insurer confirmed that the personal data and significant amounts of health claims data from all 3.9 million customers were accessible to the cyber criminal.

The health claims data includes where medical services were received, and codes relating to diagnoses and procedures. Other data stolen by the criminal includes Medicare numbers and policy numbers, and “data related to credit card security”.

The Australian Federal Police is currently investigating the breach.

To boost coordination of agencies across the federal government, state and territory governments and private sector stakeholders, in response to the data breach, Home Affairs minister Clare O’Neil activated the National Coordination Mechanism over the weekend. The emergency management tool was instituted in response to the COVID-19 pandemic.

Cybercrime, formerly the responsibility of the Home Affairs minister, was added to the ministerial responsibilities of the Attorney-General earlier this month through an Administrative Arrangements Order.

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories