3 minute read

Australian Government to increase data breach penalties

In the wake of two high-profile data breaches, the Australian Government will this week introduce legislation that exponentially increases the financial penalties entities face for repeated or serious privacy breaches.

\Attorney General Mark Dreyfus said he would table the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 in Parliament. The bill would significantly increase the existing maximum AU$2.22 million set down by the Privacy Act 1988.

Under the proposed bill, the penalty will increase to whichever is the greater of an AU$50 million fine; three times the value of any benefit obtained through the misuse of information; or 30% of a company’s adjusted turnover in the relevant period.

“Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It’s not enough for a penalty for a major data breach to be seen as the cost of doing business,” said the Attorney-General

“We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour.”

The new legislation comes after two big data breaches involving telco Optus and health insurer Medibank Private in which the sensitive data of millions of customers was stolen. Other large entities also experiencing data breaches in the last month include Energy Australia, Telstra, G4S, Costa Group, MyDeal, and Dialog.

In addition to increasing penalties, the Privacy Legislation Amendment (Enforcement and Other Measures) Bill will also hand the Australian Information Commissioner (AIC) greater powers to resolve privacy breaches; strengthen the Notifiable Data Breaches scheme to improve the information provided to the AIC to better enable it to assess the risk of harm; and give the AIC and the Australian Communications and Media Authority (ACMA) greater information sharing powers.

“When Australians are asked to hand over their personal data, they have a right to expect it will be protected,” said Dreyfus. “I look forward to support from across the Parliament for this Bill.”

Prime Minister Anthony Albanese formally added fighting cybercrime to the Attorney-General’s responsibilities only last week, leaving Cybersecurity Minister Clare O’Neil responsible for cyber policy coordination.

The Government’s move also comes just weeks after the Opposition Attorney-General Julian Lesser called for tougher online privacy and data protection laws. Dreyfus had previously flagged that he intended to make changes to the Privacy Act, something the Opposition had welcomed.

“It should not have taken the cyberattack on Optus to wake up this government,” said Lesser. “The protection of Australians’ personal information online must be a high priority for the Albanese Government.”

Notably, the Opposition’s proposed reforms only increased fines up to AU$10 million, and then only for serious, repeated breaches. However, Opposition Home Affairs Minister, Karen Andrews, has recently upped the ante and called for cyber-extortionists to face prison penalties of up to ten years.

While some insiders ask whether it is fair to fine an entity for falling victim to a cyber-attack, others say the increase in penalties will encourage those entities to focus on cyber-defences and re-evaluate what customer data they retain and for how long. Dreyfus says the government is committed to the ongoing strengthening of privacy laws.