Privacy laws: things are about to change

As of December last year, the Privacy Act has undergone a major overall in an attempt to counteract the damage done when two serious data breaches took place.

The big hacks

While most people assume their data is safe in the hands of big businesses, thousands of Australians found out this isn’t necessarily the case, when their personal information was released following the Optus and Medibank hacks. The latter even led to the release of medical information.

Following the backlash, a change in privacy laws was inevitable. The amendments aim to provide greater protection of the personal data and privacy of Australians.

So, how do they achieve this? The penalties for serious or repeated interferences with privacy have been increased under the Privacy Act.

What do agencies need to know?

The big question for real estate agencies is: what constitutes a serious or repeated interference with someone’s privacy? 

Well, according to the law, these are two different concepts/actions, and for either of them you could be found liable for the penalties. 

In some cases, you might be found doing actions that are both serious and repeated.

The next question then is: what is a serious interference with someone’s privacy? 

This is what a reasonable person would consider to be a ‘serious’ interference – therefore, as the standards of society and people change over time, so too does what we consider ‘serious’.

Serious interference

Today, the aspects generally looked at when determining if the interference was serious include the number of people affected, whether sensitive information was involved, whether one or more individuals suffered, or are likely to suffer, significant harm from the interference, whether your interference was done deliberately or recklessly, or who was responsible for the breach – for example, were they senior staff, experienced, etc?

What, then, is repeated interference? This means that you or your organisation have interfered with the privacy of an individual or multiple people on two or more occasions – whether it be because of the same actions or different ones.

However, the interferences must have occurred at separate occasions – so if an interference happens simultaneously for multiple individuals it will only count as one occasion.

The changes

The new changes to the act increase the penalties for body corporates in breach of these provisions to:

  • $50 million;
  • triple the value of any benefit obtained from the contravention; or
  • 30 per cent of the adjusted turnover over a relevant period

The greater of the three will be applied as the penalty. Previously, the penalty was $2.22 million.

The changes to the act increase the penalties for individuals in breach of these provisions to:

  • a maximum of $2.5 million.

Previously the penalty was $440,000.

The changes also increased the Commissioner and OAIC’s enforcement and sharing powers. These include a more detailed notification to the Commissioner when you experience a notifiable data breach.

What happens after a breach

When an entity faces a data breach that is notifiable they are required to prepare a statement for the Commissioner.

This statement must also contain the particular kinds of information that were involved in the data breach.

For example, previously it was enough to mention that ‘contact information’ had been breached. Now, the particular kind of contact information must be mentioned (such as phone number, home address).

They can now assess your ability to comply with the notifiable data breach scheme .They can also issue infringement notices to someone who fails to provide information when they are required to; The penalty is:

  •  60 units for a person ($16,500)
  • 300 units for a body corporate ($82,500). 

They can also share information with other authorities such as enforcement bodies, other complaint bodies, an authority of the government, state, and/or territory. In addition, they can now publicly disclose information if it is in the public interest to do so.

For businesses this could have serious reputational consequences if you’re not careful with your privacy practices. So now is the time to familiarise yourself with the changes. 

Boring legal stuff: Even though this article was prepared by lawyers, this article is general information only and cannot be regarded as legal, financial or accounting advice as it does not take into account your personal circumstances. For tailored advice, please contact us. PS – congratulations if you have read this far, you must love legal disclaimers or are a sucker for punishment

Show More

Kristen Porter

Kristen Porter is a legal practitioner specialising in real estate, property management and privacy laws. She is the founding Director of O*NO Legal The Real Estate Agents' Lawyer.

Partner Content

This post is promoted by Elite Agent on behalf of one of our commercial partners (advertisers). For all partnership enquiries email