Australia has confirmed an incoming legislative change will significant strengthen its online privacy laws following a spate of data breaches in recent weeks — such as the Optus telco breach last month.
“Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It’s not enough for a penalty for a major data breach to be seen as the cost of doing business,” said its attorney-general, Mark Dreyfus, in a statement at the weekend.
“We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour.”
The changes will be made via an amendment to the country’s privacy laws, following a long process of consultation on reforms.
Dreyfus said the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will increase the maximum penalties that can be applied under the Privacy Act 1988 for serious or repeated privacy breaches from the current AUS $2.22 million (~$1.4M) penalty to whichever is the greater of:
AUS $50 million (~$32M);
3x the value of any benefit obtained through the misuse of information; or
30% of a company’s adjusted turnover in the relevant period
These amounts are substantially higher than an earlier draft of the reform last year (when penalties of AUS $10M or 10% of turnover were being considered).
Major breaches such as at Optus — and another that followed hard on its heels, at the health insurer Medibank Private — appear to have concentrated lawmakers’ minds.
The change of government, earlier this year, also means there’s a new broom at work.
Additional changes trailed by Dreyfus include greater powers for the Australian information commissioner and a beefed up Notifiable Data Breaches scheme to provide the privacy watchdog with a more comprehensive view of what’s been compromised in a breach, also so it can assess the risk of harm to individuals.
The information commissioner and the Australian Communications and Media Authority will also be furnished with greater information sharing powers to enable more regulatory joint-working.
Both agencies opened investigations of Optus following last month’s breach.
The privacy legislation amendment bill is slated to be presented to Australia’s parliament this week, per Reuters.
The Attorney-General’s Department is also undertaking a comprehensive review of the Privacy Act that’s due to be completed this year, with recommendations expected for further reform, it said.
“I look forward to support from across the Parliament for this Bill, which is an essential part of the Government’s agenda to ensure Australia’s privacy framework is able to respond to new challenges in the digital era. The Albanese Government is committed to protecting Australians’ personal information and to further strengthening privacy laws,” added Dreyfus.