‘Data is a precious thing, and will last longer than the systems themselves.’
– Sir Tim Berners-Lee, Inventor of the World Wide Web
Today, data generates more economic value than the transnational flow of goods and services. By harnessing the consumer-data opportunity, brands can create a viable pathway to profitable growth. Yet, rising geopolitical instability and economic uncertainty have converged to create a perfect storm of factors that have heightened data privacy threats. A spate of recent high-profile data breaches has borne out this adverse reality, and led to an increased consumer awareness of data privacy rights and risks.
In response, governments in the APJ region are evolving their data privacy legislative regimes to remain fit-for-purpose in a fundamentally transformed economic landscape. Whilst regulations often lag developments in the economic sphere, the APJ region presents a further challenge to lawmakers, due to its diversity of markets that span both emerging and developed economies. To overcome this challenge, governments must develop data privacy regulations that balance national interests with global digital competitiveness. The common denominator in any effective data privacy regulatory framework, however, is promoting consumer privacy protections.
Putting Privacy Principles First
Recently, the Australian Government passed the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 [PLA]. The PLA came into effect on 12 December 2022, and amended the federal Privacy Act 1988 [Privacy Act] to create one of the most stringent privacy penalty regimes in the world. For organisations seeking to remain viable, the stakes have never been higher and the time to act is now.
Specifically, the PLA has enacted the following measures to significantly strengthen privacy protections:
- New and substantially increased penalties for serious or repeated interferences with an individual’s privacy:
- The PLA has increased the penalty cap from AU$2.2 million to the greater of:
- AU$50 million; or
- three times the value of any benefit obtained through the misuse of information; or
- 30 per cent of a company’s adjusted turnover in the relevant period.
- The PLA has increased the penalty cap from AU$2.2 million to the greater of:
- Expanded extraterritorial jurisdiction of Australian privacy law:
- The PLA expands the extraterritorial jurisdiction of Australian privacy law, requiring compliance by organisations that are domiciled overseas, but carry on business in Australia.
- Extended enforcement powers of the independent national regulator for privacy and freedom of information, the Office of the Australian Information Commissioner (OAIC):
- The OAIC’s extended enforcement powers include new investigatory powers, as well as information sharing powers with domestic regulators and international counterparts.
Raising the Regulatory Bar: Privacy as a Key Growth Driver
The amendments to the Privacy Act represent a global trend towards creating an inextricable link between privacy and competitive advantage. With the rise of first-party data amid third-party cookie loss, privacy will be the key to unlocking a competitive edge through data-driven innovation. A recent McKinsey study found that 85% of consumers value knowing an organisation’s privacy policy prior to making a purchase, demonstrating the importance of transparency in building digital trust.
Whilst the Privacy Act amendments represent a significant shift in the Australian Government’s approach to privacy regulation, it is only one step in a broader regional trend towards raising the regulatory bar in data protection standards. For example, Japan’s Act on the Protection of Personal Information [APPI] was recently amended to enhance the regulation of data acquisition, use and provision to third parties. The APPI has been granted an EU adequacy decision, which demonstrates a high level of personal data protection that is comparable to that of the EU’s GDPR. Similarly, Singapore’s Personal Data Protection Act 2012 [PDPA] has recently increased its cap on financial penalties, whilst introducing a mandatory data breach notification requirement.
Boost Digital Trust: The Building Blocks to Privacy-Readiness
As digital transformation accelerates, prioritising privacy will be critical to competitive advantage. Below are immediate practical steps to evolve into the privacy-enabled organisation of the future:
- Systematically test data collection, use, disclosure and retention practices to determine whether the associated privacy risk is necessary and proportionate to the business need.
- Ensure an effective risk management framework from the board-level down to enable robust escalation and reporting policies that are understood and current.
- Implement a comprehensive privacy compliance strategy and policy that is enlivened by a fit-for-purpose data architecture.
- Adopt a privacy-enhancing solution to guard against unauthorised data access, use or loss. As the world’s most trusted CDP, Tealium offers organisations capabilities that are central to a robust risk mitigation framework through consolidating data, enforcing consent across all integrated systems and controlling data access.
- Develop a response system that will enable compliance with applicable Notifiable Data Breach requirements.
As privacy and consent market leaders, Tealium and Deloitte have collaborated to create a centralised consent management solution designed to enhance privacy-readiness in line with evolving data privacy laws. Learn how Tealium and Deloitte’s centralised consent management solution could benefit your organisation by accessing our complimentary white paper: Consumer Data Right: The New Value Exchange.