What do privacy law changes mean for the insurance industry?

Backlash from recent high-profile data breaches amid a major review of Australia's privacy law has resulted in a regulatory environment likely to create significant privacy changes.

Insurance law firm Clyde & Co has released a report discussing two core areas of recent privacy changes that became law in December 2022:

• Extraterritorial reach of Australian privacy law; and
• Introduction of the world's highest fines for breaching privacy law.

The report also showed how these changes impact on the Australian insurance industry.

Changes in extraterritorial test in Australia

The previous extraterritorial test meant that overseas-based entities or related companies involved as insurers, reinsurers, or service providers to the Australian insurance industry – whether they were subject to the Australian Privacy Act or not depended on the following:

• If the entities were “carrying on business” for the purposes of the Privacy Act in Australia; and
• They had collected relevant personal information from individuals or held their personal information in Australia.

In mid-2022, the Office of the Australian Information Commissioner (OAIC) amended the interpretation of the extraterritoriality wording, requiring an offshore group service provider (SP) to an Australian-based gig economy company where the SP did not directly collect or hold any personal information in Australia to comply with the Australian privacy laws.

“While we believe the then wording of the relevant provision in the Australian Privacy Act did not permit such a conclusion, it is now a moot point,” Clyde & Co said.

In December 2022, legislation amending the extraterritorial application of the Privacy Act removed the requirement for an offshore entity to have, at some time, directly collected or held the relevant personal information in Australia.

“Now, if an offshore entity is ‘carrying on business’ (for the purposes of the Privacy Act) in Australia, then that entity is required to comply with the Privacy Act, at least as regarding all of the Australian-related personal information it processes,” Clyde & Co said.

The world's largest fine for contravening the privacy law

Before the December 2022 legislative changes, some offshore entities subject to the Australian privacy law were unaware of requirements or unconcerned as to whether they needed to comply with the privacy law, given that:

• If they were meeting the privacy requirements of Europe or the UK (and, in some cases, the US), then they would “pretty much” be meeting the Australian privacy requirements; and
• The fine for failing to comply was a maximum of $2.2 million without a history of the active imposition of fines by the OAIC.

However, the legislative amendments and expected significant changes to the Australian privacy law warrant a different approach.

“At the same time as changing the extraterritoriality provisions, in December 2022, the maximum penalty for a serious invasion and repeated invasions of privacy (i.e., contravention of the Australian privacy law) was increased from the $2.22 million maximum to up to the greater of $50 million and 30% of the turnover of the enterprise for the greater of 12 months and the period of time over which the contravention occurred,” the report said.

Climate is another area that is expected to impact the Australian insurance industry. In a recent report, Clyde & Co discussed the latest climate litigation trends in Australia and shared its predictions for 2023.