The government is getting ready to hand out $10 million fines for companies mismanaging user information with new legislation targeting social media companies.

A draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 – or the Online Privacy Bill for short – was circulated on Monday.

The bill aims to make online companies, especially social media platforms and data brokers, more accountable to the data they collect and share about users and will see the development of an Online Privacy code to govern how these companies comply with the Australian Privacy Principles.

Body corporates that commit repeated or serious privacy breaches could be fined up to 10 per cent of their last year’s turnover under the bill if a court can’t work out the monetary value a company gained from its breach.

Attorney-General Michaelia Cash said companies will be “punished heavily” if they don’t meet Australian privacy standards.

“We know that Australians are wary about what personal information they give over to large tech companies,” she said. “We are ensuring their data and privacy will protected and handled with care.”

The new bill, which is open for public consultation until 6 December, comes amidst a wholesale review of the Privacy Act.

The Online Privacy Bill outlines the creation of a new code targeting the behaviour of social media services, data brokers, and “large online platforms”.

Under the proposed legislation, social media services are companies that primarily enable online social interaction between multiple end-users in such a way that users can interact with “some or all of the other end-users” and can “post material on the service”.

Alongside existing social media services, such as Facebook, this definition would target online gaming platforms, blogs and forums, as well as messaging apps and videoconferencing services like Zoom.

Data brokers are companies that collect personal information from people through electronic services for the purpose of disclosing that personal information (or information derived from it) while large online platforms are any service that collects personal information about people and has over 2.5 million Australian users.

The designation for “large online platforms” covers the likes of Google Search, Spotify, and Amazon that don’t necessarily connect other end-users for social purposes but do collect large swathes of information on users.

A provision in the code would allow users to request their personal information is not further used or disclosed, such as for direct marketing, but a user’s request would not stop companies from sharing information to law enforcement.

The code will be developed in consultation with industry – something Dr Rys Farthing, Data Policy Director for Reset Australia, said was cause for concern.

“Given what we know about social media companies, the prospect that they might be involved in the first drafting of this code is worrying,” he said.

“It would be appalling if Facebook, or any industry representative bodies they work with, were to have the first opportunity to draft the very code that is meant to protect children from them.”

Children are a key demographic for this code which must require social media companies “take all reasonable steps” to verify the age of their users.

For users under the age of 16, parental or guardian consent will be required before the companies can share any data.

Facebook has come under immense scrutiny in recent weeks following the leak of internal documents from whistleblower Frances Haugen which showed, among other revelations, that the company is aware of how its Instagram product negatively affects the well-being of young users.

In July Instagram enacted a policy of defaulting users under the age of 16 to private accounts and said it would no longer let advertisers target people younger 18 based on demographic information beyond their gender, age, and location.