Companies now face a fine of $50 million for “serious or repeated” privacy breaches while the privacy watchdog will have stronger powers after legislation passed Parliament on Monday.
The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 passed both houses of Parliament with bipartisan support on Monday with a minor amendment, and will become law after receiving Royal Assent.
The bill substantially increases the fine for companies that breach the privacy of their customers or clients and hands new powers to the Office of the Australian Information Commissioner (OAIC) to combat data breaches.
Despite being waved through, both the Opposition and the Greens raised significant concerns about the bill, particularly around a lack of definitions of key terms and no differentiation between companies which may “benefit” from breaching privacy and those who do so by accident or are targeted by hackers.
The bill serves to increase the current penalty for a company breaching privacy laws from $2.5 million to $50 million, three times the value of any benefit obtained through this, or 30 percent of its adjusted turnover for the financial year, whichever figure is higher.
This penalty will be for companies engaging in “repeated or serious privacy breaches”.
The OAIC will also be given additional enforcement powers, including an expansion of the types of declarations the Commissioner can make in a determination after an investigation of a privacy breach is completed and new powers to conduct assessment.
It also amends the extraterritorial jurisdiction of Australia’s Privacy Act to ensure foreign companies conducting business in the country are subject to it.
Attorney-General Mark Dreyfus welcomed the passage of the legislation.
“This is the first step in cleaning up the former government’s mess,” Dreyfus said. “The former government started a Privacy Act review in 2020, and never finished it. It pledged to legislate tougher penalties, and never did it.
“These new, larger penalties send a clear message to large companies that they must do better to protect the data they collect. Significant privacy breaches in recent months have shown existing safeguards are outdated and inadequate. These reforms make clear to companies that the penalty for a major data breach can no longer be regarded as the cost of doing business.”
The legislation was criticised in Parliament for not defining the key terms of “serious” or “repeated”.
“Those who are going to be impacted by these laws and have obligations to discharge under this legislation need to be given a clear and concise definition of what ‘serious’ or ‘repeated’ mean in this context,” Liberal Senator Paul Scarr said.
Both the Opposition and the Greens also raised concerns that the new penalties aren’t enforced with a staggered approach and could apply to smaller companies as well as multinationals.
“There’s a major issue with respect to a regime that imposes the same type of penalty in relation to the largest of multinationals, which should have sophisticated cyber-defences in place, as opposed to medium-sized enterprises or even charities that get hacked by a malicious actor – in many cases, a foreign actor,” Scarr said.
“There’s no distinction on the face of this penalty clause to those different circumstances, and that’s a major failing in this penalty clause.”
Greens Senator David Shoebridge said the party also had “reservations” about the bill, and described the one penalty on offer as the “nuclear option'', calling for a nuanced approach instead.
The Greens also moved an amendment calling for the introduction of a statutory civil cause of action for serious invasion of privacy in the Privacy Act, but this was rejected by the government, which said this matter would be dealt with as part of the ongoing review of the Privacy Act.
The new penalty comes after two of the biggest data breaches Australia has ever seen, with cyber attacks on Optus and Medibank shining a spotlight on the privacy practices of large companies and the importance of cyber security.