Last review date: 31 December 2023

There are:

☒        administrative remedies / civil penalties applied by regulators and law enforcement

Under the Privacy Act, the Information Commissioner has the power to investigate organizations based on complaints or of the Commissioner's own accord, accept enforceable undertakings, make determinations, apply to the court for injunctions or civil penalties.  

The maximum penalty for a corporation for serious and repeated interferences of privacy has recently been increased to the greater of:

• AUD 50,000,000,
• If a court can determine the value of the benefit obtained from the contravention - three times the value of the benefit, or
• If a court cannot determine the value of the benefit obtained from the contravention - 30% of the body corporate's adjusted turnover during the breach turnover period.

Additionally, the Information Commissioner may issue infringement notices imposing monetary penalties for failure or refusal to provide information, answer questions or to produce documents or records required by the Commissioner. The Information Commissioner's determinations can include requirements for the respondent to a complaint to take specified steps to rectify conduct which led to a breach, which may include a direction to engage an independent and suitably qualified adviser to assist with this process at the respondent's own cost.

Under the Healthcare Identifiers Act, knowing or reckless unauthorized use or disclosure of healthcare identifiers gives rise to a maximum civil penalty of AUD 939,000 for corporations and AUD 187,700 for individuals.

Misuse of a My Health Record or breach of the requirements of the MHR Act is subject to a maximum civil penalty of AUD 2,347,500 for corporations and AUD 469,500 for individuals.

State and Territory public sector privacy, health records laws, surveillance laws, telecommunications laws and critical infrastructure laws also have their own civil penalty regimes which may be triggered by data-related breaches.

☒        criminal penalties from regulators and law enforcement

Use or disclosure of false or misleading credit reporting information, credit information or credit eligibility information is an offence under the Privacy Act subject to a maximum penalty of AUD 62,600.

It is also a criminal offense for a corporation to engage in conduct that constitutes a "system of conduct" or a "pattern of behaviour" which results in two or more failures or refusals to provide information, answer questions or produce documents or records required under the Privacy Act, subject to a penalty of AUD 93,900.

Unauthorized use or disclosure of healthcare identifiers is an offence under the Healthcare Identifiers Act subject to a maximum penalty of imprisonment for two years or AUD 37,560.

For criminal breaches of the My Health Record Act, the maximum penalty is up to five years' imprisonment and/or a fine of AUD 93,900.

State and Territory public sector privacy, health records laws, surveillance laws, telecommunications laws and critical infrastructure laws also have their own criminal penalty regimes, which may be triggered by data-related breaches.

Under the Crimes Act 1914 (Cth), criminal pecuniary penalties can typically be increased five-fold, and penalties for imprisonment can be converted into monetary penalties, for corporations.

☒        private remedies

There is currently no private tort of interference with privacy in Australia. However:

• Breach of the Australian Privacy Principles and certain other provisions in the Privacy Act is an interference with the privacy of an individual. An individual can complain to the OAIC about interferences with their privacy, and the OAIC may assist with conciliation or commence an investigation, and potentially subsequently make a determination in the individual's favor (which may result in compensation being paid to the individual and/or an apology being made)
• An individual could potentially bring an action for damages on the basis of breach of statutory duty, on another tortious basis (e.g., negligence), or for breach of contract, depending on the circumstances
• The report on the review of the Privacy Act proposed – and the government has agreed in-principle – that the legislature should introduce a direct right of action for individuals against organizations that breach their privacy and a tort for serious invasions of privacy.

☒        other

Failure to comply with the Privacy Act can result in complaint-based or Commissioner-initiated investigations by the OAIC, depending on the particular breach and the surrounding circumstances. The Information Commissioner is also empowered with broad information-sharing powers which enable it to share relevant information with other enforcement agencies, including the Australian Federal Police or Commonwealth Department of Public Prosecutions, in order for them to consider further enforcement action.

Organizations may also be required to give enforceable undertakings by regulators to avoid further enforcement action being taken.

Under some legislation (e.g., the Spam Act, the Telecommunications Act), although not currently under the Privacy Act, regulators may issue infringement notices requiring immediate payment of penalties and/or cessation of breaching conduct without needing to bring legal proceedings for a civil penalty order.

The report on the review of the Privacy Act  proposed a range of changes to enforcement and remedies for non-compliance. Some of the proposed changes were introduced in December 2022 (e.g., changes to maximum penalties, ability for OAIC to issue infringement notices). Other changes proposed by the report – and agreed by the government – include:

• That there should be no need for interferences with privacy to be "repeated" before civil penalties can be imposed
• What constitutes a "serious" interference with privacy should be clarified
• A new mid-tier civil penalty provision should be introduced to cover non-serious interferences with privacy, and a new low-level civil penalty provision should be added to address specific administrative breaches of the law, with attached infringement notice powers for the OAIC with set penalties
• Courts should be given the power to make any order they see fit after a civil penalty relating to an interference with privacy has been established
• The OAIC should have the power to make declarations requiring APP entities to identify, mitigate and redress actual or reasonably foreseeable loss suffered by an individual as a result of an eligible data breach.

Last review date: 31 December 2023

☐        individual personal actions

☒        representative actions (e.g., brought by a consumer / data privacy body or the supervisory authority)

☐        class actions

Individuals do not currently have rights to directly enforce the Privacy Act (or the Spam Act, the DNCR Act, MHR Act or Healthcare Identifiers Act) in court. However, they may complain to the OAIC about an alleged interference with their privacy, and the OAIC may take enforcement action in response. Among other things, the OAIC may direct an APP entity who has breached the APPs in respect of an individual's personal information to apologize to the affected individual and/or pay them compensation. In civil penalty proceedings instigated by the OAIC, a court could also make orders aimed at redressing harm to affected individuals. As noted in a previous response, the report on the review of the Privacy Act proposes – and the government agrees in-principle – that the law should be changed to give individuals a direct right of action.

State and Territory health privacy / records laws also contain mechanisms for individuals to complain to relevant authorities about interferences with privacy, with escalation to a tribunal expressly contemplated in some States' legislation. The position is typically similar under general State / Territory public sector privacy laws, although notably the Information Privacy Act 2014 (ACT) contemplates that individuals may seek certain orders from courts.