Explanatory Memorandum
(Circulated by authority of the Attorney-General, Senator the Honourable George Brandis QC)General Outline
1. This Bill makes amendments to 15 Commonwealth Acts in order to implement the Regulatory Powers Act (Standard Provisions) Act 2014 (the 'Regulatory Powers Act'). The Regulatory Powers Act provides for a standard suite of provisions in relation to monitoring and investigation powers, as well as enforcement provisions through the use of civil penalties, infringement notices, enforceable undertakings and injunctions.
2. The Regulatory Powers Act received Royal Assent on 21 July 2014 and commenced on 1 October 2014. The Regulatory Powers Act only has effect where Commonwealth Acts are drafted or amended to trigger its provisions.
3. The Bill amends the following Commonwealth Acts to repeal current provisions providing for regulatory regimes in those Acts, and instead trigger the standard provisions of the Regulatory Powers Act:
- •
- the Australian Sports Anti-Doping Authority Act 2006 (the 'ASADA Act')
- •
- the Building Energy Efficiency Disclosure Act 2010 (the 'BEED Act')
- •
- the Coal Mining Industry (Long Service Leave) Administration Act 1992 (the 'Administration Act')
- •
- the Coal Mining Industry (Long Service Leave) Payroll Levy Collection Act 1992 (the 'Payroll Levy Collection Act')
- •
- the Defence Act 1903
- •
- the Defence Reserve Service (Protection) Act 2001
- •
- the Greenhouse and Energy Minimum Standards Act 2012 (the 'GEMS Act')
- •
- the Horse Disease Response Levy Collection Act 2011 (the 'Horse Disease Act')
- •
- the Illegal Logging Prohibition Act 2012 (the 'Illegal Logging Act')
- •
- the Industrial Chemicals (Notification and Assessment) Act 1989 (the 'ICNA Act')
- •
- the Paid Parental Leave Act 2010 (the 'PPL Act')
- •
- the Personal Property Securities Act 2009 (the 'PPS Act')
- •
- the Privacy Act 1988
- •
- the Tobacco Plain Packaging Act 2011 (the 'TPP Act'), and
- •
- the Weapons of Mass Destruction (Prevention of Proliferation) Act 1995 (the 'WMD Act').
4. Implementing the Regulating Powers Act will support the government's regulatory reform agenda as that Act intends to simplify and streamline Commonwealth regulatory powers across the statute book. This will provide regulatory agencies with the opportunity to use more uniform powers, and increase legal certainty for businesses and individuals who are subject to those powers.
5. The Bill also makes minor amendments to the Regulatory Powers Act to clarify the operation of certain provisions and remove unreasonable administrative burdens on agencies exercising regulatory powers under the Regulatory Powers Act. The amendments concern the ability to secure evidence of a contravention when exercising monitoring powers, the age of photographs for identity cards, the time period for the making of a civil penalty order and the cap on the amount to be stated in an infringement notice.
6. The Bill seeks to align the 15 Commonwealth Acts with the standard provisions of the Regulatory Powers Act. Accordingly, there are minor changes to those Acts. In most instances, the changes are minor, technical changes that modernise drafting terminology. In some circumstances, the changes result in a minor expansion to existing regulatory powers of those Acts. Where necessary, the Bill modifies the operation of the standard provisions of the Regulatory Powers Act to retain existing powers in those Acts.
Financial Impact
7. This Bill will have a nil or insignificant financial impact on government departments and agencies, as the amendments generally do not alter the effect of the law.
Statement of Compatibility with Human Rights
Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011
Regulatory Powers (Deregulation) Bill 2016
8. This Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.
Overview of the Bill
9. This Bill makes amendments to 15 Commonwealth Acts in order to implement the Regulatory Powers Act. The Regulatory Powers Act received Royal Assent on 21 July 2014 and commenced on 1 October 2014. The Regulatory Powers Act only has effect where Commonwealth Acts are drafted or amended to trigger its provisions.
10. The purpose of this Bill is to amend various Commonwealth Acts to repeal current provisions providing for regulatory regimes in those Acts, and instead trigger the standard provisions of the Regulatory Powers Act. The purpose of this standardisation is to simplify and streamline Commonwealth regulatory powers across the statute book.
11. The Bill also makes minor amendments to the Regulatory Powers Act.
12. As noted by the Parliamentary Joint Committee on Human Rights in its consideration of the Regulatory Powers (Standard Provisions) Bill 2014, it is necessary to consider the human rights impact in the specific context of each legislative regime that triggers the Regulatory Powers Act. Accordingly, the human rights impact is considered separately for each of the Acts to be amended by this Bill.
Overview of Schedule 13 - Privacy Act 1988
351. The Privacy Act 1988 regulates the handling of personal information about individuals. This includes the collection, use, storage and disclosure of personal information, and access to and correction of that information. Article 17 of the ICCPR provides that no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence. The Privacy Act gives effect to Article 17 of the ICCPR, giving individuals rights in relation to how organisations and agencies handle personal information, both online and offline.
352. Schedule 13 to this Bill amends the Privacy Act to trigger the civil penalty provisions in Part 4 of the Regulatory Powers Act, which means that the civil penalty provisions of the Privacy Act are enforceable under that Part of the Regulatory Powers Act.
353. Under these amendments, the Commissioner (defined in the Privacy Act as the Information Commissioner within the meaning of the Australian Information Commissioner Act 2010) is authorised to apply to a relevant court for a civil penalty order requiring a person to pay the Commonwealth a pecuniary penalty for a contravention of the Privacy Act. Subsections 82(5) and (6) of the Regulatory Powers Act provide for how the pecuniary penalty in a civil penalty order is to be determined.
354. The Privacy Act is also amended to trigger the enforceable undertakings provisions in Part 6 of the Regulatory Powers Act, which will enable the Commissioner to accept and enforce undertakings relating to compliance with the provisions of the Privacy Act. Further, if the Commissioner is satisfied that the person has breached the undertaking, he or she may apply to a relevant court for an order relating to the undertaking.
355. Schedule 13 to this Bill also amends the Privacy Act to trigger the injunctions provisions in Part 7 of the Regulatory Powers Act, which will enable the Commissioner to apply to a relevant court for an injunction to restrain the person from engaging in conduct or requiring the person to do a thing. Further, the Commissioner may apply to a relevant court for an interim injunction.
Human rights implications
Civil penalties and Article 14
356. The Privacy Act creates civil penalties for contraventions of that Act by setting out civil penalty provisions. Those civil penalty provisions are retained under Schedule 13 to this Bill. However, the amendments in Schedule 13 mean that the enforcement framework for those civil penalty provisions is provided by the Regulatory Powers Act, instead of by the Privacy Act.
357. Triggering the civil penalty provisions of the Regulatory Powers Act could engage the criminal process rights under Article 14 of the ICCPR if the imposition of civil penalties is classified as 'criminal' under international human rights law. As set out above, determining whether the penalties could be considered to be criminal under international human rights law requires consideration of the classification of the penalty provisions under Australian domestic law, the nature and purpose of the penalties, and the severity of the penalties.
358. The civil penalty provisions of the Privacy Act expressly classify the penalties as civil penalties. These provisions create solely pecuniary penalties in the form of a debt payable to the Commonwealth. The purpose of these penalties is to encourage compliance with the Privacy Act, which supports the implementation of Australia's obligations under the ICCPR. The civil penalty provisions do not impose criminal liability, and do not lead to the creation of a criminal record. The penalties only apply to the regulatory regime of the Privacy Act, rather than to the public in general. Further, the imposition of the civil penalties is not dependent on a finding of guilt. These factors all suggest that the civil penalties imposed by the Privacy Act are civil rather than criminal in nature.
359. The amendments in Schedule 13 to this Bill do not alter the maximum pecuniary penalties specified for contraventions of the Privacy Act (see current subsection 80U(5) of the Privacy Act). The Privacy Act specifies penalties of 60, 200, 500, 1000 or 2000 penalty units in various civil penalty provisions. Subsection 82(5) of the Regulatory Powers Act, as applied to the Privacy Act, provides that where the person is not a body corporate, a pecuniary penalty must not be more than the penalty specified for the civil penalty provision, and if the person is a body corporate, the pecuniary penalty must not be more than five times the pecuniary penalty specified for the civil penalty provision. The application of this provision preserves the effect of current subsection 80W(5) of the Privacy Act. Accordingly, the maximum penalties for bodies corporate are 300, 1000, 2500 or 10 000 penalty units depending on the provision. This preserves the current maximum penalty amounts.
360. The Privacy Act confers enforcement and other regulatory powers on the Commissioner, which are based on an escalation model that has a range of regulatory responses including civil penalty provisions. The Guide to Privacy Regulatory Action provides guidance on the Commissioner's exercise of regulatory powers in the Privacy Act and indicates the preferred regulatory approach is to work with entities to facilitate legal and best practice compliance. The Guide states the Commissioner will not seek a civil penalty order for all contraventions of a civil penalty provision in the Privacy Act and is unlikely to seek a civil penalty order for minor or inadvertent contraventions.
361. The more serious penalties apply to serious breaches of privacy. For example, section 13G of the Privacy Act imposes a civil penalty of 2000 penalty units for serious interference with an individual's privacy or repeated interference of the privacy of one or more individuals. The penalties set out in the civil penalty provisions are maximum penalties and it is open to a court to exercise its discretion to impose a lower penalty. This discretion would be informed by reference to subsection 82(6) of the Regulatory Powers Act, which provides that a court must take into account all relevant matters in determining a pecuniary penalty, including the nature and extent of the contraventions, the loss or damage suffered, the circumstances in which the contraventions took place and whether a court has previously found the person to have engaged in similar conduct. Subsection 82(6) of the Regulatory Powers Act preserves section 80W(6) of the Privacy Act.
362. The civil penalty provisions do not carry the possibility of imprisonment.
363. The amendments in Schedule 13 to this Bill will also apply section 85 of the Regulatory Powers Act, which provides that a relevant court may make a single civil penalty order against a person for multiple contraventions of a civil penalty provision if proceedings for the contraventions are founded on the same facts, or if the contraventions form, or are part of, a series of contraventions of the same or a similar character; however, the penalty must not exceed the sum of the maximum penalties that could be ordered if a separate penalty were ordered for each of the contraventions. There are no criminal consequences associated with civil penalty orders for multiple contraventions. For example, they do not carry the possibility of imprisonment.
364. As such, the civil penalties under the Privacy Act are not sufficiently severe that they could be considered to be criminal penalties for the purposes of Australia's human rights obligations. Accordingly, the criminal process rights provided for by Article 14 of the ICCPR are not engaged by the amendments relating to civil penalty orders in Schedule 13 to this Bill.
365. The amendments relating to civil penalty provisions in Schedule 13 to this Bill engage, but do not limit, the right to a fair and public hearing in civil proceedings provided for by Article 14(1) of the ICCPR. Under section 82 of the Regulatory Powers Act, civil penalty orders can only be granted by a relevant court, which must consider all relevant matters before determining the amount of the penalty. Accordingly, the right to a fair hearing is not limited.
366. Application of the standard civil penalty provisions of the Regulatory Powers Act does result in a minor expansion of the current regulatory powers framework of the Privacy Act due to the triggering of section 93 of the Regulatory Powers Act. Section 93 of the Regulatory Powers Act provides that if an act or thing is required under a civil penalty provision to be done within a particular period or before a particular time, the obligation to do that act or thing continues until that act or thing is done, even if the period has expired or the time has passed. This section further provides that a person commits a separate contravention of the civil penalty provision in respect of each day during which the contravention occurs, including the day the civil penalty order is made (or any later day). This section is necessary to ensure that failure to comply with an obligation does not excuse a person from meeting that obligation. As discussed above, section 85 of the Regulatory Powers Act provides that a relevant court may make a single civil penalty order against a person for multiple contraventions of a civil penalty provision if proceedings for the contraventions are founded on the same facts, or if the contraventions form, or are part of, a series of contraventions of the same or a similar character. However, the penalty must not exceed the sum of the maximum penalties that could be ordered if a separate penalty were ordered for each of the contraventions. There are no criminal consequences associated with civil penalty orders for multiple contraventions. For example, they do not carry the possibility of imprisonment. The application of section 93 of the Regulatory Powers Act does not engage any human rights.
Additional civil penalty provisions without human rights implications
367. Alignment with Regulatory Powers Act will apply additional provisions, which are not currently in the Privacy Act, that are merely procedural in nature. These are sections 94, 95, 96 and 97 of the Regulatory Powers Act.
368. Sections 94, 95 and 97 of the Regulatory Powers Act relate to the relevance of a person's state of mind, mistake of fact and vicarious liability of employees, agents or officers of a body corporate, respectively. These provisions do not engage the criminal process rights in Article 14 of the ICCPR, as they do not impact upon criminal proceedings.
369. Section 96 of the Regulatory Powers Act provides that, in proceedings for a civil penalty order against a person for a contravention of a civil penalty provision, a person bears an evidential burden where that person wishes to rely on any exception, exemption, excuse, qualification or justification provided by the law creating the civil penalty provision. As section 96 of the Regulatory Powers Act only relates to proceedings for civil penalty orders, not offences, the right to be presumed innocent in Article 14(2) of the ICCPR is not engaged.
Enforceable undertakings and Article 14
370. Under the amendments in Schedule 13 to this Bill, enforceable undertakings may be accepted and enforced under the Regulatory Powers Act in relation to contraventions of provisions of the Privacy Act (including offence provisions). As the enforceable undertakings framework applies to the offence provisions, the right to a fair and public hearing and the other criminal process rights and minimum guarantees in Article 14 of the ICCPR are engaged.
371. Under Part 6 of the Regulatory Powers Act, an order enforcing an undertaking that relates to compliance with provisions of the Privacy Act can only be made by a court. Accordingly, the right to a fair and public trial is not limited.
372. The amendments in Schedule 13 to this Bill also do not limit the minimum guarantees and other criminal process rights in Article 14 of the ICCPR.
Injunctions and Article 14
373. Under the amendments in Schedule 13 to this Bill, an injunction can be granted under the Regulatory Powers Act in relation to contraventions of the provisions of the Privacy Act. Accordingly, as the injunctions framework applies to the offence provisions of the Privacy Act, the right to a fair and public trial and the other criminal process rights and minimum guarantees provided for by Article 14 of the ICCPR are engaged.
374. Under Part 7 of the Regulatory Powers Act, an injunction can only be granted by a court. Further, a court may only grant an injunction where a person has engaged, is engaging or is proposing to engage, in conduct that contravenes a provision of the Privacy Act, or where a person has refused or failed, or is refusing or failing, or proposing to refuse or fail, to do a thing and that refusal or failure was, is or would be a contravention of a provision of the Privacy Act. Thus, the right to a fair and public trial is not limited.
375. The other criminal process rights and minimum guarantees in Article 14 of the ICCPR are not limited by the amendments in Schedule 13 to this Bill.
Right to privacy
376. Schedule 13 to this Bill also modifies the operation of Part 6 of the Regulatory Powers Act, and provides that the Commissioner may publish an undertaking given in relation to a provision of that Act on the Commissioner's website . New subsection 80V(4) of the Privacy Act preserves the effect of current subsection 33E(5) of that Act.
377. This provision engages the protection against arbitrary or unlawful interference with privacy. Article 17 of the ICCPR prohibits arbitrary or unlawful interference with an individual's privacy, family, home or correspondence, and protects a person's honour and reputation from unlawful attacks. The right to privacy can be limited to achieve a legitimate objective where the limitations are lawful and not arbitrary. In order for an interference with the right to privacy to be permissible, the interference must be authorised by law, be for a reason consistent with the ICCPR and be reasonable in the circumstances. The United Nations Human Rights Committee has interpreted the requirement of 'reasonableness' as implying that any interference with privacy must be proportionate to a legitimate end and be necessary in the circumstances.
378. The Privacy Act pursues the legitimate objective of giving effect to Australia's obligations under Article 17 of the ICCPR. It pursues this objective by regulating the handling of personal information about individuals. This includes the collection, use, storage and disclosure of personal information, and access to and correction of that information.
379. To the extent that the power in new section 80V(4) of the Privacy Act may limit the right to privacy, this limitation is provided for by law. It is necessary that the Commissioner retain the power in new section 80V(4) of the Privacy Act in order to pursue the legitimate objective of the Privacy Act by promoting compliance with that Act. The power may only be exercised by the Commissioner, ensuring that its use is reasonable, necessary and proportionate to the objectives of the Privacy Act and limiting the risk of abuse of this power. The objectives of the Privacy Act are themselves consistent with the ICCPR. Accordingly, the provision is compatible with the protection from arbitrary or unlawful interference with privacy.
Conclusion
380. Schedule 13 to this Bill is compatible with human rights because to the extent that it may limit human rights, the limitation of those rights is necessary, reasonable and proportionate .
Schedule 13 - Privacy Act 1988
General Outline
1519. The Privacy Act 1988 regulates the handling of personal information about individuals. This includes the collection, use, storage and disclosure of personal information, and access to and correction of that information. Article 17 of the International Covenant on Civil and Political Rights (the 'ICCPR') provides that no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence. Australia gives effect to Article 17 of the ICCPR through the Privacy Act, which gives individuals rights in relation to how organisations and agencies handle personal information, both online and offline.
1520. Current Part VIB of the Privacy Act establishes a framework that allows civil penalty orders to be sought from a court in relation to contraventions of civil penalty provisions. Current Division 3B of Part IV of the Privacy Act creates a framework for accepting and enforcing undertakings relating to compliance with provisions of that Act. Current section 98 of the Privacy Act deals with the use of injunctions to enforce provisions of that Act.
1521. This Schedule amends the Privacy Act to apply the standard civil penalty, enforceable undertaking and injunction provisions of the Regulatory Powers Act. Application of these provisions does result in a minor expansion of the current regulatory powers framework of the Privacy Act due to the acquisition of section 93 of the Regulatory Powers Act; however that provision is necessary to ensure that failure to comply with an obligation does not excuse a person from meeting that obligation. The other provisions gained by alignment with the Regulatory Powers Act, which are not currently in the Privacy Act, are merely procedural matters in relation to civil penalty provisions. This Schedule also modifies the operation of the Regulatory Powers Act to retain an existing power in the Privacy Act.
1522. Part 4 of the Regulatory Powers Act creates a framework for the use of civil penalties to enforce civil penalty provisions. Subsection 78(2) of the Regulatory Powers Act states that, in order for Part 4 of the Regulatory Powers Act to operate, a civil penalty provision must be made enforceable under that Part by another Act (a triggering Act). When a triggering Act applies Part 4 of the Regulatory Powers Act, it must identify the authorised person or persons and relevant court or courts that may exercise powers under that Part (see sections 80 and 81 of the Regulatory Powers Act). The triggering Act must also express whether the authorised person may delegate his or her powers and functions in relation to the civil penalty provisions of the triggering Act (see subsection 80(3) of the Regulatory Powers Act). If civil penalty provisions of the triggering Act apply in external Territories or offshore areas, the triggering Act should identify whether Part 4 of the Regulatory Powers Act extends to any external Territories.
1523. Part 6 of the Regulatory Powers Act creates a framework for accepting and enforcing undertakings relating to compliance with provisions of an Act. Subsection 110(2) of the Regulatory Powers Act states that, in order for Part 6 of the Regulatory Powers Act to operate, a provision of an Act or legislative instrument must be made enforceable under that Part by a triggering Act. When a triggering Act applies Part 6 of the Regulatory Powers Act, it must identify the authorised person or persons and the relevant court or courts that may exercise powers under Part 6 of the Regulatory Powers Act (see sections 112 and 113 of the Regulatory Powers Act). It must also express whether the authorised person or persons may delegate his or her powers and functions under Part 6 of the Regulatory Powers Act in relation to the enforceable undertakings provisions of the triggering Act (see subsection 112(3) of the Regulatory Powers Act). If provisions of the triggering Act are subject to enforceable undertakings and apply in external Territories or offshore areas, the triggering Act should identify whether Part 6 of the Regulatory Powers Act extends to any external Territories.
1524. Part 7 of the Regulatory Powers Act creates a framework for the use of injunctions to enforce provisions of an Act. Subsection 117(2) of the Regulatory Powers Act states that, in order for Part 7 of the Regulatory Powers Act to operate, a provision of an Act or legislative instrument must be made enforceable under that Part by a triggering Act. When a triggering Act applies Part 7 of the Regulatory Powers Act, it must identify an authorised person or persons and a relevant court or courts that may exercise powers under Part 7 of the Regulatory Powers Act (see sections 119 and 120 of the Regulatory Powers Act). A triggering Act must also express whether an authorised person or persons may delegate his or her powers and functions under Part 7 of the Regulatory Powers Act in relation to provisions subject to an injunction under the triggering Act (see subsection 119(3) of the Regulatory Powers Act). If provisions of the triggering Act are subject to an injunction and apply in external Territories or offshore areas, the triggering Act should identify whether Part 7 of the Regulatory Powers Act extends to any external Territories.
Comparison of Provisions
Privacy Act 1988
1525. The below table identifies the corresponding provisions of the Regulatory Powers Act (applied by item 7) for the provisions of the Privacy Act that are repealed by items 6, 7 and 8.
Current provision in the Privacy Act | Provision | Provision as amended by this Schedule | Applicable provision (Regulatory Powers Act) |
Civil penalty provisions | Part VIB | Part 4-Civil penalty provisions | |
Relevant courts | 80W(1) | Retained | N/A (see new subsection 80U(3) of the Privacy Act) |
Ancillary contravention of civil penalty provisions | 80V | Retained | 92 |
Civil penalty orders | 80W | Retained | 82 |
Civil enforcement of penalty | 80X | Retained | 83 |
Conduct contravening more than one civil penalty provision | 80Y | Retained | 84 |
Multiple contraventions | 80Z | Retained | 85 |
Proceedings may be heard together | 80ZA | Retained | 86 |
Civil evidence and procedure rules for civil penalty orders | 80ZB | Retained | 87 |
Contravening a civil penalty provision is not an offence | 80ZC | Repealed | N/A |
Civil proceedings after criminal proceedings | 80ZD | Retained | 88 |
Criminal proceedings during civil proceedings | 80ZE | Retained | 89 |
Criminal proceedings after civil proceedings | 80ZF | Retained | 90 |
Evidence given in proceedings for civil penalty order not admissible in criminal proceedings | 80ZG | Retained | 91 |
N/A (Continuing contraventions of civil penalty provisions) | N/A | Gained | 93 |
N/A (State of mind) | N/A | Gained | 94 |
N/A (Mistake of fact) | N/A | Gained | 95 |
N/A (Exceptions etc. to civil penalty provisions - burden of proof) | N/A | Gained | 96 |
N/A (Civil penalty provisions contravened by employees, agents or officers) | N/A | Gained | 97 |
Enforceable undertakings | Division 3B, Part IV | Part 6-Enforceable undertakings | |
Relevant courts | 33F(1) | Retained | N/A (see new subsection 80V(3) of the Privacy Act) |
Commissioner may accept undertakings | 33E | Retained | 114 |
Commissioner may publish the undertaking on the Commissioner's website | 33E(5) | Retained through modification to the Regulatory Powers Act | N/A (see new subsection 80V(4) of the Privacy Act) |
Enforcement of undertakings | 33F | Retained | 115 |
N/A (A relevant court may order that a person who has breached an enforceable undertaking pay the Commonwealth an amount up to the amount of any financial benefit that the person obtained directly or indirectly, and that is reasonably attributable to the breach) | N/A | Gained | 115(2)(b) |
Injunctions | 98 | Part 7-Injunctions | |
Relevant courts | 98 | Retained | N/A (see new subsection 80W(3) of the Privacy Act) |
Grant of injunctions | 98(1);
98(2) |
Retained | 121 |
Interim injunctions | 98(3) | Retained | 122 |
Discharging or varying injunctions | 98(4) | Retained | 123 |
Certain limits on granting injunctions not to apply | 98(5);
98(6) |
Retained | 124 |
No undertakings as to damages | 98(7) | Retained | 122(2) |
Other powers of a relevant court unaffected | 98(8) | Retained | 125 |
Part 1 - Amendments
Item 1 - Subsection 6(1) (definition of civil penalty order)
1526. Item 1 repeals the definition of civil penalty order in subsection 6(1) of the Privacy Act. That definition is no longer necessary, as this Schedule amends the Privacy Act to apply the standard provisions of the Regulatory Powers Act, and civil penalty order is defined in section 4 of that Act.
1527. It is not necessary to substitute a new definition of civil penalty order in subsection 6(1) of the Privacy Act, as that definition is only relevant for the purposes of civil penalty provisions, and is not applied in any other provision of that Act. Where the phrase 'civil penalty order' is used in a provision external to current Part VIB of the Privacy Act, that phrase is amended to 'civil penalty order [that] has been made under subsection 82(3) of the Regulatory Powers Act' or 'civil penalty under the Regulatory Powers Act' (see items 4, 5 and 9 below).
Item 2 - Subsection 6(1) (definition of civil penalty provision)
1528. Item 2 repeals the definition of civil penalty provision in subsection 6(1) of the Privacy Act, and substitutes a new definition to direct the reader to the Regulatory Powers Act, which defines civil penalty provision in section 4 of that Act.
Item 3 - Subsection 6(1)
1529. Item 3 amends subsection 6(1) of the Privacy Act to insert a definition of Regulatory Powers Act. That definition provides that a reference to the Regulatory Powers Act is a reference to the Regulatory Powers (Standard Provisions) Act 2014.
Item 4 - Subparagraph 25(1)(a)(i)
1530. Item 4 repeals current subparagraph 25(1)(a)(i) of the Privacy Act and substitutes a new subparagraph 25(1)(a)(i) of that Act.
1531. Current subparagraph 25(1)(a)(i) of the Privacy Act provides that the Federal Court or the Federal Circuit Court may order an entity to compensate a person for loss or damage (including injury to the person's feelings or humiliation) suffered by the person if a civil penalty order has been made against the entity for a contravention of a civil penalty provision (other than section 13G of the Privacy Act).
1532. New subparagraph 25(1)(a)(i) of the Privacy Act provides that the Federal Court or the Federal Circuit Court may order an entity to compensate a person for loss or damage (including injury to the person's feelings or humiliation) suffered by the person if a civil penalty order has been made under subsection 82(3) of the Regulatory Powers Act against the entity for a contravention of a civil penalty provision of the Privacy Act (other than section 13G of the Privacy Act).
1533. Item 4 clarifies that, due to the amendments made by item 7 below, a civil penalty order is made under the Regulatory Powers Act.
1534. Item 4 is consequential to the amendments made by item 7 below, which repeals current Part VIB of the Privacy Act and applies the standard civil penalty, enforceable undertakings and injunctions provisions of the Regulatory Powers Act.
Item 5 - Subparagraph 25A(1)(a)(i)
1535. Item 5 repeals current subparagraph 25A(1)(a)(i) of the Privacy Act and substitutes a new subparagraph 25A(1)(a)(i) of that Act.
1536. Current subparagraph 25A(1)(a)(i) of the Privacy Act provides that section 25A of that Act applies if a civil penalty order has been made against an entity for a contravention of a civil penalty provision (other than section 13G of the Privacy Act).
1537. New subparagraph 25A(1)(a)(i) of the Privacy Act provides that section 25A of that Act applies if a civil penalty order has been made under subsection 82(3) of the Regulatory Powers Act against an entity for a contravention of a civil penalty provision of the Privacy Act (other than section 13G of the Privacy Act).
1538. Item 5 clarifies that, due to the amendments made by item 7 below, a civil penalty order is made under the Regulatory Powers Act.
1539. Item 5 is consequential to the amendments made by item 7 below, which repeals current Part VIB of the Privacy Act and applies the standard civil penalty, enforceable undertakings and injunctions provisions of the Regulatory Powers Act.
Item 6 - Division 3B of Part IV
1540. Item 6 repeals current Division 3B of Part IV of the Privacy Act, which creates a framework for accepting and enforcing undertakings relating to compliance with provisions of that Act.
1541. This item is consequential to the amendments made by item 4 below, which inserts new 'Division 2-Enforceable undertakings' of new 'Part VIB-Enforcement' of the Privacy Act, and applies the standard enforceable undertakings provisions in Part 6 of the Regulatory Powers Act to the Privacy Act.
Item 7 - Part VIB
1542. Item 7 repeals current Part VIB of the Privacy Act and substitutes new 'Part VIB-Enforcement', which includes new 'Division 1-Civil penalties', new 'Division 2-Enforceable undertakings' and new 'Division 3-Injunctions'. This item applies the provisions of Part 4 of the Regulatory Powers Act for the use of civil penalties to enforce the civil penalty provisions of the Privacy Act, and Part 6 of the Regulatory Powers Act for accepting and enforcing undertakings relating to provisions of the Privacy Act. Item 7 also applies the provisions of Part 7 of the Regulatory Powers Act for the use of injunctions to enforce provisions of the Privacy Act.
Civil penalty provisions
1543. Current Divisions 1, 2 and 3 of Part VIB of the Privacy Act provide for provisions in relation to civil penalty orders, and include sections 80U, 80V, 80W, 80X, 80Y, 80Z, 80ZA, 80ZB, 80ZC, 80ZD, 80ZE, 80ZF and 80ZG of the Privacy Act. Those sections are no longer necessary, as this Schedule amends the Privacy Act to apply the standard civil penalty provisions of the Regulatory Powers Act. The comparison table provided at paragraph 1526 above identifies the corresponding provisions of the Regulatory Powers Act for the provisions of the Privacy Act that are repealed by this item.
1544. New Division 1 of Part VIB of the Privacy Act directs the reader to Part 4 of the Regulatory Powers Act, which provides for provisions in relation to civil penalty orders (see the note to new subsection 80U(1) of the Privacy Act). New section 80U of the Privacy Act outlines matters in relation to authorised applicants, relevant courts and the extension of matters to external Territories.
1545. New subsection 80U(1) of the Privacy Act states that each civil penalty provision of that Act is enforceable under Part 4 of the Regulatory Powers Act, which ensures that Part 4 of the Regulatory Powers Act operates for the purposes of all civil penalty provisions in the Privacy Act. Item 7 also inserts a note at the end of new subsection 80U(1) of the Privacy Act, which directs the reader to Part 4 of the Regulatory Powers Act.
1546. New subsection 80U(2) of the Privacy Act identifies the Commissioner (defined in the Privacy Act as the Information Commissioner within the meaning of the Australian Information Commissioner Act 2010) as the authorised applicant in relation to the civil penalty provisions of that Act. This will enable the Commissioner to seek an order from a relevant court that a person, who is alleged to have contravened a civil penalty provision, must pay the Commonwealth a pecuniary penalty (that is, a 'civil penalty order'). New subsection 80U(2) of the Privacy Act preserves the effect of current subsection 80W(1) of that Act, which is repealed by this item.
1547. New subsection 80U(3) of the Privacy Act identifies the Federal Court of Australia and the Federal Circuit Court of Australia as a relevant court for the purposes of Part 4 of the Regulatory Powers Act, as that Part applies to the civil penalty provisions of the Privacy Act. New subsection 80U(3) of the Privacy Act reflects existing arrangements under that Act in relation to courts, and preserves the effect of current subsection 80W(1) of the Privacy Act, which is repealed by this item.
1548. New subsection 80U(4) of the Privacy Act extends the application of Part 4 of the Regulatory Powers Act, as that Part applies to the civil penalty provisions of the Privacy Act, to every external Territory. New subsection 80U(4) of the Privacy Act reflects existing arrangements under that Act (see section 5A of the Privacy Act).
1549. Application of the standard civil penalty provisions of the Regulatory Powers Act does result in a minor expansion of the current regulatory powers framework of the Privacy Act. The comparison table provided at paragraph 1526 above identifies the provision of the Regulatory Powers Act that is gained through alignment with that Act, and which does not currently exist in the Privacy Act (see section 93 of the Regulatory Powers Act, which is discussed below).
1550. Section 93 of the Regulatory Powers Act provides that if an act or thing is required under a civil penalty provision to be done within a particular period or before a particular time, the obligation to do that act or thing continues until that act or thing is done, even if the period has expired or the time has passed. This section further provides that a person commits a separate contravention of the civil penalty provision in respect of each day during which the contravention occurs, including the day the civil penalty order is made (or any later day). This provision is necessary to ensure that failure to comply with an obligation does not excuse a person from meeting that obligation.
1551. The comparison table provided at paragraph 1526 above also identifies other provisions gained through alignment with the Regulatory Powers Act, which are not currently in the Privacy Act, that are merely procedural in nature and set out matters in relation to state of mind, mistake of fact, burden of proof and vicarious liability (see sections 94, 95, 96 and 97 of the Regulatory Powers Act, which are discussed below).
1552. Section 94 of the Regulatory Powers Act provides that it is not necessary to prove a person's state of mind in civil penalty proceedings under that Act. Subsections 94(2) and (4) of the Regulatory Powers Act clarify that this does not apply to ancillary contravention of civil penalty provisions, or where the relevant provision expressly provides otherwise. Subsection 94(3) of the Regulatory Powers Act provides that subsection 94(1) of that Act does not affect the operation of section 95 of that Act.
1553. Section 95 of the Regulatory Powers Act provides that a person cannot be held liable for a civil penalty order if his or her actions arose from a legitimate mistake of fact.
1554. Section 96 of the Regulatory Powers Act provides that, in proceedings for a civil penalty order against a person for a contravention of a civil penalty provision, a person bears an evidential burden where that person wishes to rely on any exception, exemption, excuse, qualification or justification provided by the law creating the civil penalty provision.
1555. Section 97 of the Regulatory Powers Act provides that a body corporate is responsible for the actions of an employee, agent or officer of that body corporate, who is acting within the actual or apparent scope of his or her employment, or within his or her actual or apparent authority.
1556. Alignment with the Regulatory Powers Act will also repeal current section 80ZC of the Privacy Act. Current section 80ZC of the Privacy Act provides that a contravention of a civil penalty provision is not an offence. That section is no longer necessary, as the provision does not add anything beyond the established common law principle, and its inclusion is no longer in line with current drafting standards.
Enforceable undertakings
1557. Current Division 3B of Part IV of the Privacy Act provides for provisions in relation to enforceable undertakings and includes sections 33E and 33F of that Act. Those sections are no longer necessary, as this Schedule amends the Privacy Act to apply the standard enforceable undertakings provisions of the Regulatory Powers Act. The comparison table provided at paragraph 1526 above identifies the corresponding provisions of the Regulatory Powers Act for the provisions of the Privacy Act that are repealed by item 6 above.
1558. New section 80V of the Privacy Act directs the reader to Part 6 of the Regulatory Powers Act, which provides for provisions in relation to enforceable undertakings (see the note to new subsection 80V(1) of the Privacy Act). New section 80V of the Privacy Act outlines matters in relation to authorised persons, relevant courts, publication on the Commissioner's website and the extension of matters to external Territories.
1559. New subsection 80V(1) of the Privacy Act provides that the provisions of the Privacy Act are enforceable under Part 6 of the Regulatory Powers Act, which ensures that Part 6 of the Regulatory Powers Act operates for the purposes of all provisions in the Privacy Act. Item 7 also inserts a note at the end of new subsection 80V(1) of the Privacy Act, which directs the reader to Part 6 of the Regulatory Powers Act.
1560. New subsection 80V(2) of the Privacy Act identifies the Commissioner (defined in the Privacy Act as the Information Commissioner within the meaning of the Australian Information Commissioner Act 2010) as the authorised applicant in relation to the provisions mentioned in new subsection 80V(1) of that Act. This will enable the Commissioner to accept and enforce undertakings relating to compliance with provisions of the Privacy Act. New subsection 80V(2) of the Privacy Act preserves the effect of current section 33E of that Act, which is repealed by item 6 above.
1561. New subsection 80V(3) of the Privacy Act identifies the Federal Court of Australia and the Federal Circuit Court of Australia as a relevant court for the purposes of Part 6 of the Regulatory Powers Act, as that Part applies to the provisions of the Privacy Act. New subsection 80V(3) of the Privacy Act reflects existing arrangements under that Act in relation to courts, and preserves the effect of current subsection 33F(1) of the Privacy Act, which is repealed by item 6 above.
1562. New subsection 80V(4) of the Privacy Act modifies the operation of Part 6 of the Regulatory Powers Act, and provides that the Commissioner may publish an undertaking given in relation to a provision of that Act on the Commissioner's website. It is necessary to retain the Commissioner's power to publish in order to promote compliance with the obligations of the Privacy Act. New subsection 80V(4) of the Privacy Act preserves the effect of current subsection 33E(5) of that Act, which is repealed by item 6 above.
1563. New subsection 80V(5) of the Privacy Act extends the application of Part 6 of the Regulatory Powers Act, as that Part applies to the provisions of the Privacy Act, to every external Territory. New subsection 80V(5) of the Privacy Act reflects existing arrangements under that Act (see section 5A of the Privacy Act).
1564. Application of the standard enforceable undertakings provisions of the Regulatory Powers Act does not result in an expansion of the current regulatory powers framework of the Privacy Act. The comparison table provided at paragraph 1526 above identifies the provision that is gained through alignment with the Regulatory Powers Act, which is not currently in the Privacy Act, that is merely procedural in nature and sets out matters in relation to an order by a relevant court in relation to a breach of an enforceable undertaking (see paragraph 115(2)(b) of the Regulatory Powers Act, which is discussed below).
1565. Paragraph 115(2)(b) of the Regulatory Powers Act provides that a relevant court may order that a person who has breached an enforceable undertaking pay the Commonwealth an amount up to the amount of any financial benefit that the person obtained directly or indirectly, and that is reasonably attributable to the breach.
Injunctions
1566. Current section 98 of the Privacy Act creates a framework for the use of injunctions under that Act, and is no longer necessary, as this Schedule amends the Privacy Act to apply the standard injunctions provisions of the Regulatory Powers Act. The comparison table provided at paragraph 1526 above identifies the corresponding provisions of the Regulatory Powers Act for section 98 of the Privacy Act, which is repealed by item 8 below.
1567. New section 80W of the Privacy Act directs the reader to Part 7 of the Regulatory Powers Act, which provides for provisions in relation to injunctions (see the note to new subsection 80W(1) of the Privacy Act). This new section outlines matters in relation to authorised persons, relevant courts and the extension of matters to external Territories.
1568. New subsection 80W(1) of the Privacy Act provides that the provisions of that Act are enforceable under Part 7 of the Regulatory Powers Act. New subsection 80W(1) of the Privacy Act ensures that Part 7 of the Regulatory Powers Act operates for the purposes of all provisions in the Privacy Act. Item 7 also inserts a note at the end of new subsection 80W(1) of the Privacy Act, which directs the reader to Part 7 of the Regulatory Powers Act.
1569. New subsection 80W(2) of the Privacy Act identifies the Commissioner (defined in the Privacy Act as the Information Commissioner within the meaning of the Australian Information Commissioner Act 2010), or any other person, as an authorised person in relation to the provisions subject to injunctions under the Privacy Act. This will enable an authorised person to use injunctions to enforce the provisions of the Privacy Act. New subsection 80W(2) of the Privacy Act preserves the effect of current section 98 of that Act, which is repealed by item 8 below.
1570. New subsection 80W(3) of the Privacy Act identifies the Federal Court of Australia and the Federal Circuit Court of Australia as a relevant court for the purposes of Part 7 of the Regulatory Powers Act, as that Part applies to the provisions of the Privacy Act. New subsection 80W(3) of the Privacy Act reflects existing arrangements under that Act in relation to courts, and preserves the effect of current section 98 of the Privacy Act, which is repealed by item 8 below.
1571. New subsection 80W(4) of the Privacy Act extends the application of Part 7 of the Regulatory Powers Act, as that Part applies to the provisions of the Privacy Act, to every external Territory. New subsection 80W(4) of the Privacy Act reflects existing arrangements under that Act (see section 5A of the Privacy Act).
1572. Application of the standard injunctions provisions of the Regulatory Powers Act does not result in an expansion of the current regulatory powers framework of the Privacy Act.
Item 8 - Section 98
1573. Item 8 repeals current section 98 of the Privacy Act, which creates a framework for the use of injunctions under that Act.
1574. This item is consequential to the amendments made by item 7 above, which inserts new 'Division 3-Injunctions' of new 'Part VIB-Enforcement' of the Privacy Act and applies Part 7 of the Regulatory Powers Act for the use injunctions to enforce the provisions of the Privacy Act.
Item 9 - Section 99A
1575. Item 9 inserts 'under the Regulatory Powers Act (as it applies in relation to the civil penalty provisions of this Act)' after the every occurrence of 'civil penalty order' in current section 99A of the Privacy Act, which provides for matters in relation to the conduct of directors, employees and agents.
1576. Current section 99A of the Privacy Act provides for matters in relation to the conduct of directors, employees and agents.
1577. Item 9 clarifies that, due to the amendments made by item 7 above, a civil penalty order is made under the Regulatory Powers Act.
1578. Item 9 is consequential to the amendments made by item 7 above, which repeals current Part VIB of the Privacy Act and applies the standard civil penalty, enforceable undertakings and injunctions provisions of the Regulatory Powers Act.
Part 2 - Application and Saving Provisions
Item 10 - Application and saving provision-civil penalties
1579. Item 10 provides for the application of the amendments in this Schedule in relation to civil penalties, and makes it clear that the amendments apply in relation to contraventions of civil penalty provisions occurring on or after the commencement of this Schedule.
1580. This item also provides that Part VIB of the Privacy Act, as in force immediately before the commencement of this Schedule, continues to apply on and after that commencement in relation to contraventions of civil penalty provisions occurring before the commencement of this Schedule.
Item 11 - Application and saving provision-enforceable undertakings
1581. Item 11 provides for the application of the amendments in this Schedule in relation to enforceable undertakings, and makes it clear that the amendments apply in relation to undertakings given on or after the commencement of this Schedule.
1582. This item also provides that Division 3B of Part IV of the Privacy Act, as in force immediately before the commencement of this Schedule, continues to apply on and after that commencement in relation to the following:
- a.
- an undertaking given before the commencement of this Schedule
- b.
- an application for an order made, but not decided, under current subsection 33F(1) of the Privacy Act before the commencement of this Schedule, and
- c.
- an order made under current subsection 33F(2) of the Privacy Act before, on or after the commencement of this Schedule as a result of an application made before that commencement.
Item 12 - Application and saving provision-injunctions
1583. Item 12 provides for the application of the amendments in this Schedule in relation to injunctions, and makes it clear that the amendments apply in relation to contraventions occurring on or after the commencement of this Schedule.
1584. This item also provides that section 98 of the Privacy Act, as in force immediately before the commencement of this Schedule, continues to apply on and after that commencement in relation to contraventions occurring before the commencement of this Schedule.