Commonwealth Consolidated Acts Commonwealth Consolidated ActsCivil penalty provision for breaching Australian Privacy Principles
(1) An entity contravenes this subsection if:
(a) the entity does an act, or engages in a practice; and
(b) the act or practice breaches any of the following Australian Privacy Principles:
(i) Australian Privacy Principle 1.3 (requirement to have APP privacy policy);
(ii) Australian Privacy Principle 1.4 (contents of APP privacy policy);
(iii) Australian Privacy Principle 2.1 (individuals may choose not to identify themselves in dealing with entities);
(iv) Australian Privacy Principle 6.5 (written notice of certain uses or disclosures);
(v) Australian Privacy Principle 7.2(c) or 7.3(c) (simple means for individuals to opt out of direct marketing communications);
(vi) Australian Privacy Principle 7.3(d) (requirement to draw attention to ability to opt out of direct marketing communications);
(vii) Australian Privacy Principle 7.7(a) (giving effect to request in reasonable period);
(viii) Australian Privacy Principle 7.7(b) (notification of source of information);
(ix) Australian Privacy Principle 13.5 (dealing with requests);
(x) any other Australian Privacy Principle prescribed by the regulations.
Note: Conduct that contravenes this section may also contravene section 13G or 13H.
Civil penalty provision for non - compliant eligible data breach statement
(2) An entity contravenes this subsection if:
(a) the entity prepares a statement under section 26WK (eligible data breaches); and
(b) the statement does not comply with subsection 26WK(3).
(3) Subsections (1) and (2) are civil penalty provisions.
Note: Section 80U deals with civil penalty provisions in this Act.
Maximum pecuniary penalty
(4) The amount of the penalty payable by a person in respect of a contravention of subsection (1) or (2) must not exceed 200 penalty units.