Public Law Govt Regulatory Service Featured 400x402

On 25 March, Australia’s Attorney-General Christian Porter and Minister for Communications and the Arts Mitch Fifield announced a proposal to significantly increase the penalty regime under the Australian Privacy Act 1988. The announcement came soon after the Justice Select Committee’s final report on the New Zealand Privacy Bill, and was made in response to the role of social media in the Christchurch terrorist attack on 15 March.


The announcement makes it clear that the new laws are designed to expressly target online social media platforms, with Minister Fifield stating that “[t]he tech industry needs to do much more to protect Australians’ data and privacy”.

The tragic events that took place in Christchurch informed the Australian Government’s decision. Australian Prime Minister Scott Morrison criticised the fact that the massacre, which was live-streamed, could be freely viewed for over an hour.

The proposed changes

The proposal includes the following changes:

  • Harsher penalties for privacy breaches: The current maximum civil penalty available in Australia for ‘serious and repeated interferences’ of individual privacy is $420,000, or $2.1 million for a body corporate. Under the proposal, which will bring the penalty regime under Australian privacy law more in line with that found in the European Union’s General Data Protection Regulation (‘GDPR’), the maximum would be increased to the greater of:
    • $10 million; or
    • three times the value of any benefit obtained through the misuse of information; or
    • 10% of the company’s annual domestic turnover.
  • Powers of the Office of the Australian Information Commissioner (‘OAIC’): The announcement also contemplates the introduction of new powers for the OAIC, including:
    • the power to issue infringement notices and impose penalties for failure to cooperate with efforts to resolve minor breaches (up to $12,600 for individuals and up to $63,000 for body corporates); and
    • the power to ensure that breaches can be addressed through alternative means including the use of third party reviews, publishing prominent notices about specific breaches, and ensuring that those directly affected are advised about the breach.
  • Social Media platforms: new requirements for social media platforms were also proposed, whereby social media and online platforms will be required to stop using or disclosing an individual's personal information upon request.

  • Children and other vulnerable groups: The announcement also proposed an introduction of specific rules designed to protect the personal information of children and other vulnerable groups.

The proposed changes are yet to become law. However, the announcement contemplates that the relevant legislation will be drafted for consultation in the second half of 2019.

New Zealand – much smaller teeth

New Zealand is currently reforming its privacy laws. The Justice Select Committee’s final report on the New Zealand Privacy Bill was released on 13 March (see our comments on the key changes here).

Although the Privacy Bill in its current form addresses some of the issues found in the Australian announcement, the key distinction between the proposed Australian regime and that contemplated by the New Zealand Privacy Bill is the quantum of the maximum fines for breaches of the law.

The New Zealand Privacy Commissioner had previously called for the ability to apply to the court for a civil penalty of $1,000,000 for body corporates. However, notwithstanding submissions from the Privacy Commissioner and others (see Kensington Swan’s submission here), the maximum payable fine under the Privacy Bill remains at $10,000 – a mere fraction of the penalties that could be imposed under the Australian proposals or under the GDPR.

What next for New Zealand?

The revised Privacy Bill will now be heard and debated by the New Zealand Parliament and, if it passes its second reading in Parliament (which we expect it will), will then be considered by the Committee of the whole House. During or prior to the Committee of the whole House stage, any Member of Parliament may propose that amendments to the Privacy Bill be considered, by submitting a Supplementary Order Paper or last-minute typescript amendment.

We expect that it is likely that the current political environment may affect these later stages of the legislative process, and it would not surprise us if the House were asked to at least consider increasing the scope of the fines available under New Zealand privacy law, in order to more closely align New Zealand’s position with that of its second-largest trading partner.

While it would be unusual for a key policy change to a Bill to be made at such a late stage, the balance between privacy and security issues is squarely in the political spotlight in the wake of the Christchurch terrorist attack, and an increase in enforcement powers (however tangential to the events in Christchurch) may be seen as part of the political response.

We will regularly be publishing updates on the Privacy Bill as it progresses through the New Zealand legislature. If you would like specific advice on what the Bill will mean for your business, please contact Hayley MillerHayden WilsonGretchen Fraser, or Campbell Featherstone.



View All


View All