The Albanese Government will next week introduce legislation to significantly increase penalties related to data breaches, proposing fines up to $50m.
In a statement on 22 October, Attorney-general Mark Dreyfus announced the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, which is set to drastically increase fines in the event of serious or repeated privacy breaches.
This change could see some of Australia's biggest companies facing unprecedented fines for future data breaches, and signals a major shift in Australian privacy legislation.
This bill, while highly significant, is not surprising – soon after Optus' landmark data breach, multiple government figures came out with heavy-handed criticism over the current levels of penalties related to data breaches, having been capped at only $2.2 million.
Home Affairs Minister Clare O'Neil had said the current level of penalties was "totally inappropriate", and told parliament that under other jurisdictions, a data breach of similar size as Optus' would "result in fines amounting to hundreds of millions of dollars".
Changes to Australian privacy and cyber security laws have been well forecasted in the month following the Optus' breach, and given the onset of further cyber incidents among companies such as Medibank, we're now seeing legislative changes arrive at a breakneck pace.
"Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate," said Dreyfus.
"It's not enough for a penalty for a major data breach to be seen as the cost of doing business," he added.
Scott Leach, vice president at cyber firm Varonis, said the various breaches of the past few weeks had shown "some of Australia’s largest organisations are completely unprepared when it comes to data privacy and protection".
"The previous fines of up to $2.2M were a completely inadequate deterrent, which didn’t motivate businesses enough to protect the sensitive personal information of their customers.
"Up until now, it has simply been easier for large organisations to pay the fine if they experience a breach, rather than invest the large amount of resources required to improve the security of their operations.
"These new penalties will hopefully incentivise companies to implement the proper safeguards once and for all, rather than taking a chance on people’s personal information."
The new bill could not only introduce changes such as the $50m penalty, but depending on factors such as business turnover and the estimated value of stolen data, companies could find themselves paying significantly higher.
Dreyfus said the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will increase maximum penalties that can be applied under the Privacy Act 1988 for serious or repeated privacy breaches from the current $2.22 million penalty to whichever is the greater of:
● $50 million;
● three times the value of any benefit obtained through the misuse of information; or
● 30% of a company's adjusted turnover in the relevant period.
This indicates that under certain circumstances, companies subject to a serious data breach could incur penalties up to 30% of their turnover during the period in which the data has been compromised.
"We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour," said Dreyfus.
Greater powers for government
Dreyfus said the new Privacy Legislation Amendment Bill will also provide the Australian Information Commissioner (OAIC), Australia's independent privacy regulator, with "greater powers" to resolve privacy breaches.
The bill will also:
● strengthen the Notifiable Data Breaches scheme to ensure the Australian Information Commissioner has comprehensive knowledge and understanding of information compromised in a breach to assess the risk of harm to individuals; and
● equip the Australian Information Commissioner and the Australian Communications and Media Authority with greater information sharing powers.
The statement does not delve into the full extent of what these "greater powers" may entail.
Dreyfus also signalled expected reforms to the Privacy Act, stating a comprehensive review into the legislation is scheduled for completion this year.
"I look forward to support from across the Parliament for this Bill, which is an essential part of the Government's agenda to ensure Australia's privacy framework is able to respond to new challenges in the digital era," he said.
Before the recent slew of massive data breaches facing Australian companies, industry experts had voiced ongoing concern that Australia's privacy and cyber security laws are behind the curve.
The EU General Data Protection Regulation, for example, sets a maximum fine of approximately $32m AUD (€20 million) or 4 per cent of annual global turnover for infringements.
The recent statements and legislative propositions being put forth demonstrate Australia's cyber security landscape is likely to see a far stricter approach to non-compliant companies in the future, forecasting an increased emphasis on transparency and deterrence.
"The reputational harm clearly isn't enough. There needs to be much tougher penalties so that companies have an absolutely clear incentive," said Dreyfus, according to the ABC.
The bill will be presented to parliament next week.