Skip to main content

Please be advised that our office will be closed from 5pm – Tuesday, 24 December, and will reopen on Thursday, 2 January 2025.

  • On this page

Publication date: January 2023

Introduction

8.1 An infringement notice is a notice issued by a regulatory authority or enforcement agency to a person or entity that sets out the particulars of an alleged contravention of an offence or civil penalty provision and an amount to be paid. A person who is issued with an infringement notice can choose to pay the penalty amount specified in the notice as an alternative to court proceedings.

8.2 If a person does not comply with an infringement notice, the OAIC may commence court proceedings against that person for the alleged contravention the subject of the infringement notice.

8.3 Nonetheless, infringement notices are designed to provide an alternative to potential litigation of a matter and encourage timely and cost-efficient enforcement outcomes in relation to relatively minor contraventions of the Privacy Act.

Legislative framework

8.4 Section 80UB of the Privacy Act with Part 5 of the Regulatory Powers Act empowers the Commissioner and the OAIC’s Senior Executive Service staff (SES) to issue an infringement notice when there are reasonable grounds to believe that a person has contravened s 66(1) of the Privacy Act.

8.5 A person contravenes s 66(1) if they fail (or refuse) to give information, answer a question or produce a document or record when required to do so under the Privacy Act (for example if they refuse to provide information during the course of an assessment under Division 3A of the Privacy Act or an investigation under Part V of the Privacy Act).

8.6 Section 66 is subject to the safeguard in s 66(1B), which provides that a person cannot be penalised if they have a reasonable excuse.

Purpose and key features of an infringement notice

8.7 Infringement notices are intended to encourage compliance and enable the OAIC to quickly and effectively resolve privacy complaints and investigations, as investigations can be delayed due to the failure of parties to respond to requests for information.

8.8 Infringement notices issued under s 80UB of the Privacy Act are an alternative to litigation and may be used in circumstances where a regulatory response is justified, but where it is preferable to attempt to resolve the matter outside of court in the first instance.

When will an infringement notice be issued

8.9 The Commissioner and/or a member of the OAIC SES may issue a person with an infringement notice for an alleged contravention of s 66(1) of the Privacy Act if they believe on reasonable grounds that a person has contravened that section.

8.10 Whether there are reasonable grounds for forming a belief is an objective test to be determined according to the facts of each matter.

8.11 The Commissioner and/or a member of the OAIC SES must issue an infringement notice within 12 months of the alleged contravention of s 66(1). The notice cannot relate to more than one alleged contravention of that provision.

8.12 In accordance with s 104(2) of the Regulatory Powers Act, the amount to be stated in the infringement notice will be 12 penalty units for a person, and 60 penalty units for bodies corporate.[1]

8.13 The amount payable in an infringement notice is significantly lower than the civil penalties that a court could impose in relation to the alleged contravention under s 66(1).[2]

Multiple infringement notices

8.14 An infringement notice under s 80UB of the Privacy Act will set out the particulars of a single alleged contravention of s 66(1).

8.15 Where there has been more than one contravention of s 66(1), the OAIC may issue a recipient (that is not a body corporate) with multiple infringement notices, each relating to a separate contravention.

8.16 Where there has been more than one contravention of s 66(1) by a body corporate then section 80UB of the Privacy Act is not applicable and an infringement notice cannot be issued.

8.17 This is because two or more contraventions of s 66(1) by a body corporate is a criminal offence under s 66(1AA) that may attract a maximum penalty of 300 penalty units. This means that where a body corporate has engaged in serious, systemic conduct or a pattern of behaviour, the Commissioner cannot issue an infringement notice but may refer the matter to the Commonwealth Director of Public Prosecutions.

Content of an infringement notice

8.18 The following matters must be included in an infringement notice that is issued to a recipient:

  • information regarding the nature of the alleged contravention of s 66(1);
  • the maximum penalty that a court can impose in connection with the alleged contravention (being 300 penalty units for a body corporate and 60 penalty units for an individual);
  • the penalty amount to be paid and the period for payment (usually 28 days) if the person wishes to avoid court action;
  • the name and contact details of the Commissioner or member of the OAIC SES who issued the notice;
  • how to seek an extension of time for payment by way of an application to the Commissioner; and
  • how to seek withdrawal of a notice by way of written representations to the Commissioner.[3]

8.19 The infringement notice is also required to state that the person may choose not to pay the penalty and notify them that, if they choose not to pay, proceedings seeking a civil penalty order for contravention of s 66(1) may be brought against them in a court.

The decision to issue an infringement notice

8.20 Whether an infringement notice will be issued will be determined on a case-by-case basis. The Commissioner or member of the OAIC SES will only consider issuing an infringement notice where it is likely to seek a court-based resolution should the recipient of the notice choose not to pay.

8.21 Consideration of the following additional factors may also influence that decision:

  • the alleged contravention, the business involved and the impact of the conduct
  • the complexity of the matter including the nature of the OAIC’s request for information and/or production of documents
  • the background and context of the matter (including any public scrutiny and media attention)
  • other available options, including court enforceable undertakings, civil penalty proceedings, and criminal proceedings.

8.22 In deciding whether to issue an infringement notice, the OAIC will also refer to the factors set out in the Privacy Regulatory Action Policy.

8.23 The following are non-exhaustive examples of circumstances in which the OAIC may decide to issue an infringement notice:

  • the OAIC has formed the view that the contravening conduct is relatively minor or less serious, but which warrants a regulatory response from the OAIC
  • the contravention of s 66(1) is a ‘one-off’ or is part of an isolated incident
  • there are likely to be lower levels of harm (in respect of privacy) to arise from the alleged contravention of s 66(1)

8.24 Conversely, the OAIC is less likely to consider issuing an infringement notice where:

  • the concerns are more serious in nature and warrant consideration by a court
  • there have been significant impacts arising from the alleged failure to provide the information and/or documentation
  • there are concerns that the alleged conduct may be continuing
  • there are questions about timing, including whether the alleged conduct occurred within the 12-month period set out at paragraph 8.12.

Issuing an infringement notice

8.25 The OAIC will generally have engaged with the relevant person or body corporate before it decides that an infringement notice may be an appropriate regulatory response in the matter.

8.26 This is because an infringement notice will only be issued to a recipient following non-compliance with a request for information or production of documents under s 66(1) of the Privacy Act.[4]

Receiving an infringement notice

8.27 The compliance period for payment of an infringement notice penalty is 28 days. The compliance period may only be extended for a maximum period of a further 28 days per extension request[5] but the Commissioner may grant an extension of time in relation to an infringement notice more than once.[6]

8.28 The recipient of an infringement notice should ensure that the payment is received by the OAIC within the compliance period, as set out in the notice.

Seeking an extension of time to pay

8.29 The recipient may, before the end of the compliance period, seek an extension of time to pay the amount specified in the notice.[7] An application for an extension of time must be made in writing to the Commissioner and should include:

  • whether they intend to pay the infringement notice penalty;
  • why they are not able to pay the infringement notice penalty within the current compliance period; and
  • why they anticipate they will be able to comply, if the compliance period is extended.

8.30 If the Commissioner does not grant an extension of time, then the compliance period expires on the later of:

  • the last day of the period specified in the original notice (this will usually be on the 28th day for the period commencing on the day after the notice is given); or
  • on the 7th day after the notice of the Commissioner’s decision not to extend the compliance period was given (with that 7 day period commencing the day after the notice is given).[8]

Seeking withdrawal of an infringement notice

8.31 A recipient of an infringement notice is also permitted to seek withdrawal of an infringement notice by way of written representations to the Commissioner.[9]

8.32 When deciding whether or not to withdraw an infringement notice, the Commissioner will consider the recipient’s written representations and may also take into account:

  • whether a court has previously imposed a penalty on the recipient for a contravention of s 66(1)
  • the circumstances of the alleged contravention the subject of the notice
  • whether the recipient has paid an amount in an earlier infringement notice for contravention of s 66(1) where the conduct the subject of that contravention is the same, or substantially the same, as the conduct set out in the current infringement notice (that is sought to be withdrawn)
  • any other matters that the Commissioner considers to be relevant.

8.33 If the Commissioner makes a decision to withdraw an infringement notice, a notice of withdrawal must be provided to the recipient. That withdrawal notice must state:

  • the recipient’s name and address
  • the day the infringement notice was given
  • the identifying number of the infringement notice
  • that the infringement notice is withdrawn
  • that proceedings seeking a civil penalty order may be brought against them in relation the alleged contravention of s 66(1)

8.34 If an infringement notice is withdrawn, the OAIC will consider on a case-by-case basis whether further action is appropriate. That action could include the institution of proceedings for the alleged contravention of s 66(1) to seek the civil penalty set out in that section.[10]

Implications of paying an infringement notice amount

8.35 If the recipient pays the penalty amount stated in the infringement notice before the end of the compliance period:

  • the recipient is discharged from liability in respect of the alleged contravention of s 66(1) set out in the notice
  • the OAIC cannot commence count proceedings in relation to the alleged contravening act
  • the recipient is not regarded as having admitted guilt or liability for the alleged contravention.

Implications of not paying an infringement notice amount

8.36 There is no legal obligation to pay an infringement notice penalty. However, if a recipient does not make payment before the deadline, proceedings may be brought against the recipient in relation to contravention of s 66(1).

8.37 If civil penalty proceedings are brought against the recipient under s 66(1) then the maximum penalty is 300 penalty units for a body corporate[11] and 60 penalty units for an individual.[12]

Footnotes

[1] At the current penalty unit value in December 2022, this leads to a maximum penalty of $2,664 for a person and $13,320 for bodies corporate. Penalty unit values tend to increase over time.

[2] Section 66(1) is a civil penalty provision, the contravention of which attracts a penalty of 300 penalty units for a body corporate (under section 82(5) of the Regulatory Powers Act, the penalty for body corporates (if it is not specified in the civil penalty provision) must not be more than 5 times the penalty specified in the civil penalty provision) and 60 penalty units for an individual. At the current penalty unit value, this leads to a maximum penalty of $13,320 for a person and $66,600 for bodies corporate. The value of a penalty unit is contained in s 4AA of the Crimes Act 1914 (Cth) — see https://www.legislation.gov.au/Series/C1914A00012.

[3] Section 104(1) of the Regulatory Powers Act sets out the requirements for what should be included in an infringement notice issued to a recipient.

[4] For example, under ss 33C(3), 44(1), 46(4) or 47(1).

[5] See section 104(1)(h) of the Regulatory Powers Act.

[6] See section 105(5) of the Regulatory Powers Act.

[7] See section 105 of the Regulatory Powers Act.

[8] See section 105(4) of the Regulatory Powers Act.

[9] See section 106 of the Regulatory Powers Act.

[10] 300 penalty units for a body corporate (under section 82(5) of the Regulatory Powers Act, the penalty for body corporates (if it is not specified in the civil penalty provision) must not be more than 5 times the penalty specified in the civil penalty provision) and 60 penalty units for an individual. At the current penalty unit value, this leads to a maximum penalty of $13,320 for a person and $66,600 for bodies corporate. The value of a penalty unit is contained in s 4AA of the Crimes Act 1914 (Cth) — see https://www.legislation.gov.au/Series/C1914A00012.

[11] Under section 82(5) of the Regulatory Powers Act, the penalty for body corporates (if it is not specified in the civil penalty provision) must not be more than 5 times the penalty specified in the civil penalty provision.

[12]At the current penalty unit value, this leads to a maximum penalty of $13,320 for a person and $66,600 for bodies corporate. The value of a penalty unit is contained in s 4AA of the Crimes Act 1914 (Cth) — see https://www.legislation.gov.au/Series/C1914A00012.